openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:0512-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.833803

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2024:0512-1)

Summary: The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.

Description: Summary:
The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.

Vulnerability Insight:
+ CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
* Other changes and bugs fixed:
+ Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash
+ Templating: Fixed a race condition when using the title function. It is now race-safe
+ API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
+ API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
+ Clustering: Fixes a panic when tls_client_config is empty
+ Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
+ Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the
alert delivery
+ Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
+ Integrations: Add Microsoft Teams as a supported integration
- Version 0.25.0:
* Fail configuration loading if api_key and api_key_file are defined at the same time
* Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new
alertmanager_marked_alerts metric that retain the old behavior
* Trim contents of Slack API URLs when reading from files
* amtool: Avoid panic when the label value matcher is empty
* Fail configuration loading if api_url is empty for OpsGenie
* Fix email template for resolved notifications
* Add proxy_url support for OAuth2 in HTTP client configuration
* Reload TLS certificate and key from disk when updated
* Add Discord integration
* Add Webex integration
* Add min_version support to select the minimum TLS version in HTTP client configuration
* Add max_version support to select the maximum TLS version in HTTP client configuration
* Emit warning logs when truncating messages in notifications
* Support HEAD method for the /-/healty and /-/ready endpoints
* Add support for reading global and local SMTP passwords from files
* UI: Add 'Link' button to alerts in list
* UI: Allow to choose the first day of the week as Sunday or Monday
- Version 0.24.0:
* Fix HTTP client configuration for the SNS receiver
* Fix unclosed file descriptor after reading the silences snapshot file
* Fix field names for mute_time_intervals in JSON marshaling
* Ensure that the root route doesn't have any matchers
* Truncate the message's title to 1024 chars to avoid hitting Slack limits
* Fix the default HTML email template (email.default.html) to match with the canonical source
* Detect SNS FIFO topic based on the rendered value
* Avoid deleting and recreating a silence when an update is possible
* api/v2: Return 200 OK when deleting an expired silence
* amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to
be (current time + duration). The new behavior is consistent with the ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'golang-github-prometheus-alertmanager' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
5.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-40577
https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.833803
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2024:0512-1)
Summary:	The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.
Description:	Summary: The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory. Vulnerability Insight: + CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838) * Other changes and bugs fixed: + Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash + Templating: Fixed a race condition when using the title function. It is now race-safe + API: Fixed duplicate receiver names in the api/v2/receivers API endpoint + API: Attempting to delete a silence now returns the correct status code, 404 instead of 500 + Clustering: Fixes a panic when tls_client_config is empty + Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text + Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert delivery + Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster + Integrations: Add Microsoft Teams as a supported integration - Version 0.25.0: * Fail configuration loading if api_key and api_key_file are defined at the same time * Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior * Trim contents of Slack API URLs when reading from files * amtool: Avoid panic when the label value matcher is empty * Fail configuration loading if api_url is empty for OpsGenie * Fix email template for resolved notifications * Add proxy_url support for OAuth2 in HTTP client configuration * Reload TLS certificate and key from disk when updated * Add Discord integration * Add Webex integration * Add min_version support to select the minimum TLS version in HTTP client configuration * Add max_version support to select the maximum TLS version in HTTP client configuration * Emit warning logs when truncating messages in notifications * Support HEAD method for the /-/healty and /-/ready endpoints * Add support for reading global and local SMTP passwords from files * UI: Add 'Link' button to alerts in list * UI: Allow to choose the first day of the week as Sunday or Monday - Version 0.24.0: * Fix HTTP client configuration for the SNS receiver * Fix unclosed file descriptor after reading the silences snapshot file * Fix field names for mute_time_intervals in JSON marshaling * Ensure that the root route doesn't have any matchers * Truncate the message's title to 1024 chars to avoid hitting Slack limits * Fix the default HTML email template (email.default.html) to match with the canonical source * Detect SNS FIFO topic based on the rendered value * Avoid deleting and recreating a silence when an update is possible * api/v2: Return 200 OK when deleting an expired silence * amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'golang-github-prometheus-alertmanager' package(s) on openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 5.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-40577 https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html
Copyright	Copyright (C) 2024 Greenbone AG