Overview

File _patchinfo of Package patchinfo.32221

<patchinfo incident="32221">
  <issue tracker="ijsc" id="MSQA-719"/>
  <issue tracker="bnc" id="1192154">VUL-0: CVE-2021-3807: nodejs12,nodejs4,nodejs6,nodejs8,nodejs10,nodejs14: node-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes</issue>
  <issue tracker="bnc" id="1192696">VUL-0: CVE-2021-3918: nodejs14, nodejs10, nodejs12, nodejs8: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')</issue>
  <issue tracker="bnc" id="1193492">VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin</issue>
  <issue tracker="bnc" id="1193686">VUL-1: CVE-2021-43815: grafana: directory traversal for .csv files</issue>
  <issue tracker="bnc" id="1200480">VUL-0: CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method</issue>
  <issue tracker="bnc" id="1204023">VUL-0: CVE-2022-41715: go1.18,go1.19: regexp/syntax: limit memory used by parsing regexps</issue>
  <issue tracker="bnc" id="1218838">VUL-0: CVE-2023-40577: golang-github-prometheus-alertmanager: prometheus-alertmanager: UI is vulnerable to stored XSS via the /api/v1/alerts endpoint</issue>
  <issue tracker="bnc" id="1218843">VUL-0: CVE-2020-7753: grafana: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function</issue>
  <issue tracker="bnc" id="1218844">VUL-0: CVE-2022-0155: grafana: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor</issue>
  <issue tracker="jsc" id="PED-7353"/>
  <issue tracker="cve" id="2023-40577"/>
  <issue tracker="cve" id="2022-41715"/>
  <issue tracker="cve" id="2020-7753"/>
  <issue tracker="cve" id="2021-3807"/>
  <issue tracker="cve" id="2021-3918"/>
  <issue tracker="cve" id="2021-43138"/>
  <issue tracker="cve" id="2022-0155"/>
  <issue tracker="cve" id="2021-43815"/>
  <issue tracker="cve" id="2021-43798"/>
  <packager>raulosuna</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for SUSE Manager Client Tools</summary>
  <description>
This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

- Do not strip if SUSE Linux Enterprise 15 SP3
- Exclude debug for Red Hat Enterprise Linux &gt;= 8
- Build with Go &gt;= 1.20 when the OS is not Red Hat Enterprise Linux

golang-github-prometheus-alertmanager:

- Create position independent executables (PIE)
- Add System/Monitoring group tag
- Update to version 0.26.0 (jsc#PED-7353):
  https://github.com/prometheus/alertmanager/releases/tag/v0.26.0
  * CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint
    in the Alertmanager UI (bsc#1218838)
  * Configuration: Fix empty list of receivers and inhibit_rules
    would cause the alertmanager to crash
  * Templating: Fixed a race condition when using the title
    function. It is now race-safe
  * API: Fixed duplicate receiver names in the api/v2/receivers API
    endpoint
  * API: Attempting to delete a silence now returns the correct
    status code, 404 instead of 500
  * Clustering: Fixes a panic when tls_client_config is empty
  * Webhook: url is now marked as a secret. It will no longer show
    up in the logs as clear-text
  * Metrics: New label reason for
    alertmanager_notifications_failed_total metric to indicate the
    type of error of the alert delivery
  * Clustering: New flag --cluster.label, to help to block any
    traffic that is not meant for the cluster
  * Integrations: Add Microsoft Teams as a supported integration
- Update to version 0.25.0:
  https://github.com/prometheus/alertmanager/releases/tag/v0.25.0
  * Fail configuration loading if api_key and api_key_file are
    defined at the same time
  * Fix the alertmanager_alerts metric to avoid counting resolved
    alerts as active. Also added a new alertmanager_marked_alerts
    metric that retain the old behavior
  * Trim contents of Slack API URLs when reading from files
  * amtool: Avoid panic when the label value matcher is empty
  * Fail configuration loading if api_url is empty for OpsGenie
  * Fix email template for resolved notifications
  * Add proxy_url support for OAuth2 in HTTP client configuration
  * Reload TLS certificate and key from disk when updated
  * Add Discord integration
  * Add Webex integration
  * Add min_version support to select the minimum TLS version in
    HTTP client configuration
  * Add max_version support to select the maximum TLS version in
  * Emit warning logs when truncating messages in notifications
  * Support HEAD method for the /-/healty and /-/ready endpoints
  * Add support for reading global and local SMTP passwords from
    files
  * UI: Add 'Link' button to alerts in list
  * UI: Allow to choose the first day of the week as Sunday or
    Monday
- Update to version 0.24.0:
  https://github.com/prometheus/alertmanager/releases/tag/v0.24.0
  * Fix HTTP client configuration for the SNS receiver
  * Fix unclosed file descriptor after reading the silences
    snapshot file
  * Fix field names for mute_time_intervals in JSON marshaling
  * Ensure that the root route doesn't have any matchers
  * Truncate the message's title to 1024 chars to avoid hitting
    Slack limits
  * Fix the default HTML email template (email.default.html) to
    match with the canonical source
  * Detect SNS FIFO topic based on the rendered value
  * Avoid deleting and recreating a silence when an update is
    possible
  * api/v2: Return 200 OK when deleting an expired silence
  * amtool: Fix the silence's end date when adding a silence. The
    end date is (start date + duration) while it used to be
    (current time + duration). The new behavior is consistent with
    the update operation
  * Add the /api/v2 prefix to all endpoints in the OpenAPI
    specification and generated client code
  * Add --cluster.tls-config experimental flag to secure cluster
    traffic via mutual TLS
  * Add Telegram integration

mgr-daemon:

- Version 4.3.8-1
  * Update translation strings

prometheus-postgres_exporter:

- Remove duplicated call to systemd requirements
- Do not build debug if Red Hat Enterprise Linux &gt;= 8
- Do not strip if SUSE Linux Enterprise 15 SP3
- Build at least with with Go &gt;= 1.18 on Red Hat Enterprise Linux
- Build with Go &gt;= 1.20 elsewhere

spacecmd:

- Version 4.3.26-1
  * Update translation strings

spacewalk-client-tools:

- Version 4.3.18-1
  * Update translation strings

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places