Security update for alloy SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0028-1 Final 1 1 2026-01-05T12:53:11Z current 2026-01-05T12:53:11Z 2026-01-05T12:53:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for alloy This update for alloy fixes the following issues: Upgrade to version 1.12.1. Security issues fixed: - CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents (bsc#1251509). - CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253609). - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251716). Other updates and bugfixes: - Version 1.12.1: * Bugfixes - update to Beyla 2.7.10. - Version 1.12.0: * Breaking changes - `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component ID instead of the hostname as their instance label in their exported metrics. * Features - (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare's LogPush jobs. - (Experimental) Additions to experimental `database_observability.mysql` component: - `explain_plans` - collector now changes schema before returning the connection to the pool. - collector now passes queries more permissively. - enable `explain_plans` collector by default - (Experimental) Additions to experimental `database_observability.postgres` component: - `explain_plans` - added the explain plan collector. - collector now passes queries more permissively. - `query_samples` - add user field to wait events within `query_samples` collector. - rework the query samples collector to buffer per-query execution state across scrapes and emit finalized entries. - process turned idle rows to calculate finalization times precisely and emit first seen idle rows. - `query_details` - escape queries coming from `pg_stat_statements` with quotes. - enable `explain_plans` collector by default. - safely generate `server_id` when UDP socket used for database connection. - add table registry and include 'validated' in parsed table name logs. - Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud Pub/Sub topic. - Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata. - Send remote config status to the remote server for the `remotecfg` service. - Send effective config to the remote server for the `remotecfg` service. - Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting both the query ID and the full SQL statement. The new block includes one option to enable statement selection, and another to configure the maximum length of the statement text. - Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values. - Add `u_probe_links` & `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing. - Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode. - Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns. - Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular expression. - OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0. - See the upstream [core](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md) and [contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md) changelogs for more details. - A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them into a Mimir instance. - Mark `stage.windowsevent` block in the `loki.process` component as GA. * Enhancements - Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one application from consuming the rate limit quota of others. - Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and `pyroscope.receive_http`. - Remove `SendSIGKILL=no` from unit files and recommendations. - Reduce memory overhead of `prometheus.remote_write`'s WAL by lowering the size of the allocated series storage. - Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from `prometheus.relabel`. - `prometheus.exporter.postgres` dependency has been updated to v0.18.1. - Update Beyla component to 2.7.8. - Support delimiters in `stage.luhn`. - `pyroscope.java`: update `async-profiler` to 4.2. - `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector. - `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2. - `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata labels for use by downstream components. - Rework underlying framework of Alloy UI to use Vite instead of Create React App. - Use POST requests for remote config requests to avoid hitting http2 header limits. - `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after `graceful_shutdown_timeout` has expired. - `kubernetes.discovery`: Add support for attaching namespace metadata. - Add `meta_cache_address` to `beyla.ebpf` component. * Bugfixes - Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps. - Fix direction of arrows for pyroscope components in UI graph. - Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn. - Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument. - Fix issues with 'unknown series ref when trying to add exemplar' from `prometheus.remote_write` by allowing series ref links to be updated if they change. - Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node filtering is enabled, preventing 'Index with name `field:spec.nodeName` does not exist' errors. - Fix issue in `loki.source.file` where scheduling files could take too long. - Fix `loki.write` no longer includes internal labels __. - Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`. - `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to true. - `loki.source.file` has better support for non-UTF-8 encoded files. - Fix the `loki.write` endpoint block's `enable_http2` attribute to actually affect the client. - Optionally remove trailing newlines before appending entries in `stage.multiline`. - `loki.source.api` no longer drops request when relabel rules drops a specific stream. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-28,SUSE-SLE-Module-Basesystem-15-SP7-2026-28 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260028-1/ Link for SUSE-SU-2026:0028-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023680.html E-Mail link for SUSE-SU-2026:0028-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1251509 SUSE Bug 1251509 https://bugzilla.suse.com/1251716 SUSE Bug 1251716 https://bugzilla.suse.com/1253609 SUSE Bug 1253609 https://www.suse.com/security/cve/CVE-2025-47911/ SUSE CVE CVE-2025-47911 page https://www.suse.com/security/cve/CVE-2025-47913/ SUSE CVE CVE-2025-47913 page https://www.suse.com/security/cve/CVE-2025-58190/ SUSE CVE CVE-2025-58190 page SUSE Linux Enterprise Module for Basesystem 15 SP7 alloy-1.12.1-150700.15.12.1 alloy-1.12.1-150700.15.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 unknown CVE-2025-47911 SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.1-150700.15.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260028-1/ https://www.suse.com/security/cve/CVE-2025-47911.html CVE-2025-47911 https://bugzilla.suse.com/1251308 SUSE Bug 1251308 SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. CVE-2025-47913 SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.1-150700.15.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260028-1/ https://www.suse.com/security/cve/CVE-2025-47913.html CVE-2025-47913 https://bugzilla.suse.com/1253506 SUSE Bug 1253506 unknown CVE-2025-58190 SUSE Linux Enterprise Module for Basesystem 15 SP7:alloy-1.12.1-150700.15.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260028-1/ https://www.suse.com/security/cve/CVE-2025-58190.html CVE-2025-58190 https://bugzilla.suse.com/1251309 SUSE Bug 1251309