OPENSUSE-SU-2026:20177-1
Vulnerability from csaf_opensuse - Published: 2026-02-05 10:44 - Updated: 2026-02-05 10:44Summary
Security update for golang-github-prometheus-prometheus
Notes
Title of the patch
Security update for golang-github-prometheus-prometheus
Description of the patch
This update for golang-github-prometheus-prometheus fixes the following issues:
Update to version 3.5.0:
Security issues fixed:
- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global (bsc#1257329).
- CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588).
Other updates and bugfixes:
- Update to 3.5.0 (jsc#PED-13824):
* [FEATURE] Remote-write: Add support for Azure Workload Identity
as an authentication method for the receiver.
* [FEATURE] PromQL: Add first_over_time(...) and
ts_of_first_over_time(...) behind feature flag.
* [FEATURE] Federation: Add support for native histograms with
custom buckets (NHCB).
* [ENHANCEMENT] PromQL: Add warn-level annotations for counter
reset conflicts in certain histogram operations.
* [ENHANCEMENT] UI: Add scrape interval and scrape timeout to
targets page.
- Update to 3.4.0:
* Add unified AWS service discovery for ec2, lightsail and ecs services.
* [FEATURE] Native histograms are now a stable, but optional
feature.
* [FEATURE] UI: Show detailed relabeling steps for each
discovered target.
* [ENHANCEMENT] Alerting: Add "unknown" state for alerting rules
that haven't been evaluated yet.
* [BUGFIX] Scrape: Fix a bug where scrape cache would not be
cleared on startup.
- Update to 3.3.0:
* [FEATURE] Spring Boot 3.3 includes support for the Prometheus
Client 1.x.
* [ENHANCEMENT] Dependency management for Dropwizard Metrics has
been removed.
- Update to 3.2.0:
* [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).
* [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add
and Sub.
* [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN
threshold are now rejected.
- Update to 3.1.0:
* [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec.
"created timestamp" (CT) is now called "start timestamp" (ST).
* [BUGFIX] Mixin: Add static UID to the remote-write dashboard.
- Update to 3.0.1:
* [BUGFIX] Promql: Make subqueries left open.
* [BUGFIX] Fix memory leak when query log is enabled.
* [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.
- Update to 3.0.0:
* [CHANGE] Deprecated feature flags removed.
* [FEATURE] New UI.
* [FEATURE] Remote Write 2.0.
* [FEATURE] OpenTelemetry Support.
* [FEATURE] UTF-8 support is now stable and enabled by default.
* [FEATURE] OTLP Ingestion.
* [FEATURE] Native Histograms.
* [BUGFIX] PromQL: Fix count_values for histograms.
* [BUGFIX] TSDB: Fix race on stale values in headAppender.
* [BUGFIX] UI: Fix selector / series formatting for empty metric
names.
- Update to 2.55.0:
* [FEATURE] PromQL: Add `last_over_time` function.
* [FEATURE] Agent: Add `prometheus_agent_build_info` metric.
* [ENHANCEMENT] PromQL: Optimise `group()` and `group by()`.
* [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.
* [BUGFIX] Scrape: Fix a bug where a target could be scraped
multiple times.
- Update to 2.54.0:
* [CHANGE] Remote-Write: highest_timestamp_in_seconds and
queue_highest_sent_timestamp_seconds metrics now initialized to
0.
* [CHANGE] API: Split warnings from info annotations in API
response.
* [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata
in WAL via feature flag.
* [FEATURE] PromQL: add limitk() and limit_ratio() aggregation
operators.
* [ENHANCEMENT] PromQL: Accept underscores in literal numbers.
* [ENHANCEMENT] PromQL: float literal numbers and durations are
now interchangeable (experimental).
* [ENHANCEMENT] PromQL (experimental native histograms): Optimize
histogram_count and histogram_sum functions.
* [BUGFIX] PromQL: Fix various issues with native histograms.
* [BUGFIX] TSDB: Fix race on stale values in headAppender.
* [BUGFIX] OTLP receiver: Allow colons in non-standard units.
Patchnames
openSUSE-Leap-16.0-243
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for golang-github-prometheus-prometheus",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for golang-github-prometheus-prometheus fixes the following issues:\n\nUpdate to version 3.5.0:\n\nSecurity issues fixed:\n\n- CVE-2025-13465: prototype pollution in the _.unset and _.omit functions can lead to deletion of methods from global (bsc#1257329).\n- CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588).\n\nOther updates and bugfixes:\n\n- Update to 3.5.0 (jsc#PED-13824):\n\n * [FEATURE] Remote-write: Add support for Azure Workload Identity\n as an authentication method for the receiver.\n * [FEATURE] PromQL: Add first_over_time(...) and\n ts_of_first_over_time(...) behind feature flag.\n * [FEATURE] Federation: Add support for native histograms with\n custom buckets (NHCB).\n * [ENHANCEMENT] PromQL: Add warn-level annotations for counter\n reset conflicts in certain histogram operations.\n * [ENHANCEMENT] UI: Add scrape interval and scrape timeout to\n targets page.\n\n- Update to 3.4.0:\n\n * Add unified AWS service discovery for ec2, lightsail and ecs services.\n * [FEATURE] Native histograms are now a stable, but optional\n feature.\n * [FEATURE] UI: Show detailed relabeling steps for each\n discovered target.\n * [ENHANCEMENT] Alerting: Add \"unknown\" state for alerting rules\n that haven\u0027t been evaluated yet.\n * [BUGFIX] Scrape: Fix a bug where scrape cache would not be\n cleared on startup.\n\n- Update to 3.3.0:\n\n * [FEATURE] Spring Boot 3.3 includes support for the Prometheus\n Client 1.x.\n * [ENHANCEMENT] Dependency management for Dropwizard Metrics has\n been removed.\n\n- Update to 3.2.0:\n\n * [FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).\n * [ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add\n and Sub.\n * [BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN\n threshold are now rejected.\n\n- Update to 3.1.0:\n\n * [FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec.\n \"created timestamp\" (CT) is now called \"start timestamp\" (ST).\n * [BUGFIX] Mixin: Add static UID to the remote-write dashboard.\n\n- Update to 3.0.1:\n\n * [BUGFIX] Promql: Make subqueries left open.\n * [BUGFIX] Fix memory leak when query log is enabled.\n * [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.\n\n- Update to 3.0.0:\n\n * [CHANGE] Deprecated feature flags removed.\n * [FEATURE] New UI.\n * [FEATURE] Remote Write 2.0.\n * [FEATURE] OpenTelemetry Support.\n * [FEATURE] UTF-8 support is now stable and enabled by default.\n * [FEATURE] OTLP Ingestion.\n * [FEATURE] Native Histograms.\n * [BUGFIX] PromQL: Fix count_values for histograms.\n * [BUGFIX] TSDB: Fix race on stale values in headAppender.\n * [BUGFIX] UI: Fix selector / series formatting for empty metric\n names.\n\n- Update to 2.55.0:\n\n * [FEATURE] PromQL: Add `last_over_time` function.\n * [FEATURE] Agent: Add `prometheus_agent_build_info` metric.\n * [ENHANCEMENT] PromQL: Optimise `group()` and `group by()`.\n * [ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.\n * [BUGFIX] Scrape: Fix a bug where a target could be scraped\n multiple times.\n\n- Update to 2.54.0:\n\n * [CHANGE] Remote-Write: highest_timestamp_in_seconds and\n queue_highest_sent_timestamp_seconds metrics now initialized to\n 0.\n * [CHANGE] API: Split warnings from info annotations in API\n response.\n * [FEATURE] Remote-Write: Version 2.0 experimental, plus metadata\n in WAL via feature flag.\n * [FEATURE] PromQL: add limitk() and limit_ratio() aggregation\n operators.\n * [ENHANCEMENT] PromQL: Accept underscores in literal numbers.\n * [ENHANCEMENT] PromQL: float literal numbers and durations are\n now interchangeable (experimental).\n * [ENHANCEMENT] PromQL (experimental native histograms): Optimize\n histogram_count and histogram_sum functions.\n * [BUGFIX] PromQL: Fix various issues with native histograms.\n * [BUGFIX] TSDB: Fix race on stale values in headAppender.\n * [BUGFIX] OTLP receiver: Allow colons in non-standard units.\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-243",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20177-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1255588",
"url": "https://bugzilla.suse.com/1255588"
},
{
"category": "self",
"summary": "SUSE Bug 1257329",
"url": "https://bugzilla.suse.com/1257329"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-12816 page",
"url": "https://www.suse.com/security/cve/CVE-2025-12816/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13465 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13465/"
}
],
"title": "Security update for golang-github-prometheus-prometheus",
"tracking": {
"current_release_date": "2026-02-05T10:44:24Z",
"generator": {
"date": "2026-02-05T10:44:24Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20177-1",
"initial_release_date": "2026-02-05T10:44:24Z",
"revision_history": [
{
"date": "2026-02-05T10:44:24Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64",
"product": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64",
"product_id": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
},
"product_reference": "golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12816",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-12816"
}
],
"notes": [
{
"category": "general",
"text": "An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-12816",
"url": "https://www.suse.com/security/cve/CVE-2025-12816"
},
{
"category": "external",
"summary": "SUSE Bug 1255584 for CVE-2025-12816",
"url": "https://bugzilla.suse.com/1255584"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-05T10:44:24Z",
"details": "important"
}
],
"title": "CVE-2025-12816"
},
{
"cve": "CVE-2025-13465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13465"
}
],
"notes": [
{
"category": "general",
"text": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13465",
"url": "https://www.suse.com/security/cve/CVE-2025-13465"
},
{
"category": "external",
"summary": "SUSE Bug 1257321 for CVE-2025-13465",
"url": "https://bugzilla.suse.com/1257321"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.s390x",
"openSUSE Leap 16.0:golang-github-prometheus-prometheus-3.5.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-05T10:44:24Z",
"details": "important"
}
],
"title": "CVE-2025-13465"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…