SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2267

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2267

Security update for golang-github-prometheus-prometheus

Type: security

Severity: important

Issued: 2026-06-03

Description:

This update for golang-github-prometheus-prometheus to version 3.5.3 fixes the following issues:

- Security issues fixed:

  - CVE-2026-42151: AzureAD remote write: Fixed OAuth client_secret
    being exposed in plaintext via /-/config endpoint (bsc#1263986)
  - CVE-2026-42154: Remote-read: Reject snappy-compressed requests
    whose declared decoded length exceeds the decode limit
    (bsc#1263987).
  - CVE-2026-40179: UI: Fixed stored XSS via unescaped le label
    values in old UI heatmap chart tick labels (bsc#1262222)
  - CVE-2026-33186: Fixed authorization bypass due to improper
    validation of the HTTP/2 :path pseudo-header (bsc#1260267)
    * Bump google.golang.org/grpc to version 1.79.3
  - CVE-2026-27606: Fixed arbitrary file write via path traversal in
    rollup (bsc#1258893)
    * Bump rollup to version 4.59.0

- Other changes:

  - Remote-Write: Reject snappy-compressed requests whose
    declared decoded length exceeds the decode limit.
  - Use systemd tmpfiles.d to create /var/lib/prometheus hierarchy (jsc#PED-14816)

References

Packages

golang-github-prometheus-prometheus-3.5.3-150100.4.34.1