openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:0512-1)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.833803

Categoría: openSUSE Local Security Checks

Título: openSUSE Security Advisory (SUSE-SU-2024:0512-1)

Resumen: The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.

Descripción: Summary:
The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.

Vulnerability Insight:
+ CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
* Other changes and bugs fixed:
+ Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash
+ Templating: Fixed a race condition when using the title function. It is now race-safe
+ API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
+ API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
+ Clustering: Fixes a panic when tls_client_config is empty
+ Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
+ Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the
alert delivery
+ Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
+ Integrations: Add Microsoft Teams as a supported integration
- Version 0.25.0:
* Fail configuration loading if api_key and api_key_file are defined at the same time
* Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new
alertmanager_marked_alerts metric that retain the old behavior
* Trim contents of Slack API URLs when reading from files
* amtool: Avoid panic when the label value matcher is empty
* Fail configuration loading if api_url is empty for OpsGenie
* Fix email template for resolved notifications
* Add proxy_url support for OAuth2 in HTTP client configuration
* Reload TLS certificate and key from disk when updated
* Add Discord integration
* Add Webex integration
* Add min_version support to select the minimum TLS version in HTTP client configuration
* Add max_version support to select the maximum TLS version in HTTP client configuration
* Emit warning logs when truncating messages in notifications
* Support HEAD method for the /-/healty and /-/ready endpoints
* Add support for reading global and local SMTP passwords from files
* UI: Add 'Link' button to alerts in list
* UI: Allow to choose the first day of the week as Sunday or Monday
- Version 0.24.0:
* Fix HTTP client configuration for the SNS receiver
* Fix unclosed file descriptor after reading the silences snapshot file
* Fix field names for mute_time_intervals in JSON marshaling
* Ensure that the root route doesn't have any matchers
* Truncate the message's title to 1024 chars to avoid hitting Slack limits
* Fix the default HTML email template (email.default.html) to match with the canonical source
* Detect SNS FIFO topic based on the rendered value
* Avoid deleting and recreating a silence when an update is possible
* api/v2: Return 200 OK when deleting an expired silence
* amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to
be (current time + duration). The new behavior is consistent with the ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'golang-github-prometheus-alertmanager' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
5.5

CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2023-40577
https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html

Copyright Copyright (C) 2024 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.833803
Categoría:	openSUSE Local Security Checks
Título:	openSUSE Security Advisory (SUSE-SU-2024:0512-1)
Resumen:	The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory.
Descripción:	Summary: The remote host is missing an update for the 'golang-github-prometheus-alertmanager' package(s) announced via the SUSE-SU-2024:0512-1 advisory. Vulnerability Insight: + CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838) * Other changes and bugs fixed: + Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash + Templating: Fixed a race condition when using the title function. It is now race-safe + API: Fixed duplicate receiver names in the api/v2/receivers API endpoint + API: Attempting to delete a silence now returns the correct status code, 404 instead of 500 + Clustering: Fixes a panic when tls_client_config is empty + Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text + Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert delivery + Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster + Integrations: Add Microsoft Teams as a supported integration - Version 0.25.0: * Fail configuration loading if api_key and api_key_file are defined at the same time * Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior * Trim contents of Slack API URLs when reading from files * amtool: Avoid panic when the label value matcher is empty * Fail configuration loading if api_url is empty for OpsGenie * Fix email template for resolved notifications * Add proxy_url support for OAuth2 in HTTP client configuration * Reload TLS certificate and key from disk when updated * Add Discord integration * Add Webex integration * Add min_version support to select the minimum TLS version in HTTP client configuration * Add max_version support to select the maximum TLS version in HTTP client configuration * Emit warning logs when truncating messages in notifications * Support HEAD method for the /-/healty and /-/ready endpoints * Add support for reading global and local SMTP passwords from files * UI: Add 'Link' button to alerts in list * UI: Allow to choose the first day of the week as Sunday or Monday - Version 0.24.0: * Fix HTTP client configuration for the SNS receiver * Fix unclosed file descriptor after reading the silences snapshot file * Fix field names for mute_time_intervals in JSON marshaling * Ensure that the root route doesn't have any matchers * Truncate the message's title to 1024 chars to avoid hitting Slack limits * Fix the default HTML email template (email.default.html) to match with the canonical source * Detect SNS FIFO topic based on the rendered value * Avoid deleting and recreating a silence when an update is possible * api/v2: Return 200 OK when deleting an expired silence * amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'golang-github-prometheus-alertmanager' package(s) on openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 5.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2023-40577 https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html
Copyright	Copyright (C) 2024 Greenbone AG