Security update for golang-github-prometheus-prometheus SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20177-1 Final 1 1 2026-02-05T10:44:24Z current 2026-02-05T10:44:24Z 2026-02-05T10:44:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for golang-github-prometheus-prometheus This update for golang-github-prometheus-prometheus fixes the following issues: Update to version 3.5.0: Security issues fixed: - CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global (bsc#1257329). - CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588). Other updates and bugfixes: - Update to 3.5.0 (jsc#PED-13824): * [FEATURE] Remote-write: Add support for Azure Workload Identity as an authentication method for the receiver. * [FEATURE] PromQL: Add first_over_time(...) and ts_of_first_over_time(...) behind feature flag. * [FEATURE] Federation: Add support for native histograms with custom buckets (NHCB). * [ENHANCEMENT] PromQL: Add warn-level annotations for counter reset conflicts in certain histogram operations. * [ENHANCEMENT] UI: Add scrape interval and scrape timeout to targets page. - Update to 3.4.0: * Add unified AWS service discovery for ec2, lightsail and ecs services. * [FEATURE] Native histograms are now a stable, but optional feature. * [FEATURE] UI: Show detailed relabeling steps for each discovered target. * [ENHANCEMENT] Alerting: Add "unknown" state for alerting rules that haven't been evaluated yet. * [BUGFIX] Scrape: Fix a bug where scrape cache would not be cleared on startup. - Update to 3.3.0: * [FEATURE] Spring Boot 3.3 includes support for the Prometheus Client 1.x. * [ENHANCEMENT] Dependency management for Dropwizard Metrics has been removed. - Update to 3.2.0: * [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1). * [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add and Sub. * [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN threshold are now rejected. - Update to 3.1.0: * [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec. "created timestamp" (CT) is now called "start timestamp" (ST). * [BUGFIX] Mixin: Add static UID to the remote-write dashboard. - Update to 3.0.1: * [BUGFIX] Promql: Make subqueries left open. * [BUGFIX] Fix memory leak when query log is enabled. * [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint. - Update to 3.0.0: * [CHANGE] Deprecated feature flags removed. * [FEATURE] New UI. * [FEATURE] Remote Write 2.0. * [FEATURE] OpenTelemetry Support. * [FEATURE] UTF-8 support is now stable and enabled by default. * [FEATURE] OTLP Ingestion. * [FEATURE] Native Histograms. * [BUGFIX] PromQL: Fix count_values for histograms. * [BUGFIX] TSDB: Fix race on stale values in headAppender. * [BUGFIX] UI: Fix selector / series formatting for empty metric names. - Update to 2.55.0: * [FEATURE] PromQL: Add `last_over_time` function. * [FEATURE] Agent: Add `prometheus_agent_build_info` metric. * [ENHANCEMENT] PromQL: Optimise `group()` and `group by()`. * [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks. * [BUGFIX] Scrape: Fix a bug where a target could be scraped multiple times. - Update to 2.54.0: * [CHANGE] Remote-Write: highest_timestamp_in_seconds and queue_highest_sent_timestamp_seconds metrics now initialized to 0. * [CHANGE] API: Split warnings from info annotations in API response. * [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata in WAL via feature flag. * [FEATURE] PromQL: add limitk() and limit_ratio() aggregation operators. * [ENHANCEMENT] PromQL: Accept underscores in literal numbers. * [ENHANCEMENT] PromQL: float literal numbers and durations are now interchangeable (experimental). * [ENHANCEMENT] PromQL (experimental native histograms): Optimize histogram_count and histogram_sum functions. * [BUGFIX] PromQL: Fix various issues with native histograms. * [BUGFIX] TSDB: Fix race on stale values in headAppender. * [BUGFIX] OTLP receiver: Allow colons in non-standard units. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1255588 SUSE Bug 1255588 https://bugzilla.suse.com/1257329 SUSE Bug 1257329 https://www.suse.com/security/cve/CVE-2025-12816/ SUSE CVE CVE-2025-12816 page https://www.suse.com/security/cve/CVE-2025-13465/ SUSE CVE CVE-2025-13465 page openSUSE Leap 16.0 golang-github-prometheus-prometheus-3.5.0-160000.1.1 golang-github-prometheus-prometheus-3.5.0-160000.1.1 as a component of openSUSE Leap 16.0 An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. CVE-2025-12816 openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-12816.html CVE-2025-12816 https://bugzilla.suse.com/1255584 SUSE Bug 1255584 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 CVE-2025-13465 openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-13465.html CVE-2025-13465 https://bugzilla.suse.com/1257321 SUSE Bug 1257321