Security update golang-github-prometheus-prometheus

Announcement ID:	SUSE-SU-2025:0546-1
Release Date:	2025-02-14T07:24:45Z
Rating:	moderate
References:	bsc#1232970 jsc#MSQA-914 jsc#PED-11649
Cross-References:	CVE-2024-51744
CVSS scores:	CVE-2024-51744 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-51744 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Products:	openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module SUSE Manager Retail Branch Server 4.3 SUSE Package Hub 15 15-SP6

An update that solves one vulnerability and contains two features can now be installed.

Description:

golang-github-prometheus-prometheus was updated from version 2.45.6 to 2.53.3 (jsc#PED-11649):

• Security issues fixed:

• CVE-2024-51744: Updated golang-jwt to version 5.0 to fix bad error handling (bsc#1232970)

• Highlights of other changes:

• Performance:
  • Significant enhancements to PromQL execution speed, TSDB operations (especially querying and compaction) and remote write operations.
  • Default GOGC value lowered to 75 for better memory management.
  • Option to limit memory usage from dropped targets added.
• New Features:
  • Experimental OpenTelemetry ingestion.
  • Automatic memory limit handling.
  • Native histogram support, including new functions, UI enhancements, and improved scraping.
  • Improved alerting features, such as relabeling rules for AlertmanagerConfig and a new query_offset option.
  • Expanded service discovery options with added metadata and support for new services.
  • New promtool commands for PromQL formatting, label manipulation, metric pushing, and OpenMetrics dumping.
• Bug Fixes:
  • Numerous fixes across scraping, API, TSDB, PromQL, and service discovery.
• For a detailed list of changes consult the package changelog or https://github.com/prometheus/prometheus/compare/v2.45.6...v2.53.3

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-546=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-546=1
• SUSE Manager Proxy 4.3 Module
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2025-546=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • firewalld-prometheus-config-0.1-150100.4.23.1
  • golang-github-prometheus-prometheus-2.53.3-150100.4.23.1
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.3-150100.4.23.1
• SUSE Manager Proxy 4.3 Module (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.3-150100.4.23.1

References:

• https://www.suse.com/security/cve/CVE-2024-51744.html
• https://bugzilla.suse.com/show_bug.cgi?id=1232970
• https://jira.suse.com/browse/MSQA-914
• https://jira.suse.com/browse/PED-11649