Security update for golang-github-prometheus-prometheus SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01990-1 Final 1 1 2025-06-18T02:11:49Z current 2025-06-18T02:11:49Z 2025-06-18T02:11:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for golang-github-prometheus-prometheus This update for golang-github-prometheus-prometheus fixes the following issues: - Security issues fixed: * CVE-2023-45288: Require Go >= 1.23 for building (bsc#1236516) * CVE-2025-22870: Bump golang.org/x/net to version 0.39.0 (bsc#1238686) - Version was updated to 2.53.4 with the following bug fixes: * Runtime: fix GOGC is being set to 0 when installed with empty prometheus.yml file resulting high cpu usage * Scrape: fix dropping valid metrics after previous scrape failed The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1990,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-1990,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-1990,SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2025-1990,openSUSE-SLE-15.6-2025-1990 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501990-1/ Link for SUSE-SU-2025:01990-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040348.html E-Mail link for SUSE-SU-2025:01990-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208752 SUSE Bug 1208752 https://bugzilla.suse.com/1236516 SUSE Bug 1236516 https://bugzilla.suse.com/1238686 SUSE Bug 1238686 https://www.suse.com/security/cve/CVE-2023-45288/ SUSE CVE CVE-2023-45288 page https://www.suse.com/security/cve/CVE-2025-22870/ SUSE CVE CVE-2025-22870 page SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Manager Proxy Module 4.3 openSUSE Leap 15.6 firewalld-prometheus-config-0.1-150100.4.26.2 golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 as a component of SUSE Manager Proxy Module 4.3 firewalld-prometheus-config-0.1-150100.4.26.2 as a component of openSUSE Leap 15.6 golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 as a component of openSUSE Leap 15.6 An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 SUSE Linux Enterprise Module for Package Hub 15 SP6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 SUSE Linux Enterprise Module for Package Hub 15 SP7:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 SUSE Manager Proxy Module 4.3:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 openSUSE Leap 15.6:firewalld-prometheus-config-0.1-150100.4.26.2 openSUSE Leap 15.6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501990-1/ https://www.suse.com/security/cve/CVE-2023-45288.html CVE-2023-45288 https://bugzilla.suse.com/1221400 SUSE Bug 1221400 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. CVE-2025-22870 SUSE Linux Enterprise Module for Package Hub 15 SP6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 SUSE Linux Enterprise Module for Package Hub 15 SP7:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 SUSE Manager Proxy Module 4.3:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 openSUSE Leap 15.6:firewalld-prometheus-config-0.1-150100.4.26.2 openSUSE Leap 15.6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501990-1/ https://www.suse.com/security/cve/CVE-2025-22870.html CVE-2025-22870 https://bugzilla.suse.com/1238572 SUSE Bug 1238572 https://bugzilla.suse.com/1238611 SUSE Bug 1238611