Security update for alloy

Announcement ID:	SUSE-SU-2026:0028-1
Release Date:	2026-01-05T12:53:12Z
Rating:	important
References:	bsc#1251509 bsc#1251716 bsc#1253609
Cross-References:	CVE-2025-47911 CVE-2025-47913 CVE-2025-58190
CVSS scores:	CVE-2025-47911 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-47911 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-47913 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-47913 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-47913 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-58190 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58190 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:	Basesystem Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves three vulnerabilities can now be installed.

Description:

This update for alloy fixes the following issues:

Upgrade to version 1.12.1.

Security issues fixed:

CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents (bsc#1251509).
CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253609).
CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by html.ParseFragment when processing specially crafted input (bsc#1251716).

Other updates and bugfixes:

Version 1.12.1:
Bugfixes
- update to Beyla 2.7.10.
Version 1.12.0:
Breaking changes
- prometheus.exporter.blackbox, prometheus.exporter.snmp and prometheus.exporter.statsd now use the component ID instead of the hostname as their instance label in their exported metrics.
Features
- (Experimental) Add an otelcol.receiver.cloudflare component to receive logs pushed by Cloudflare's LogPush jobs.
- (Experimental) Additions to experimental database_observability.mysql component:
- explain_plans
  - collector now changes schema before returning the connection to the pool.
  - collector now passes queries more permissively.
- enable explain_plans collector by default
- (Experimental) Additions to experimental database_observability.postgres component:
- explain_plans
  - added the explain plan collector.
  - collector now passes queries more permissively.
- query_samples
  - add user field to wait events within query_samples collector.
  - rework the query samples collector to buffer per-query execution state across scrapes and emit finalized entries.
  - process turned idle rows to calculate finalization times precisely and emit first seen idle rows.
- query_details
  - escape queries coming from pg_stat_statements with quotes.
- enable explain_plans collector by default.
- safely generate server_id when UDP socket used for database connection.
- add table registry and include "validated" in parsed table name logs.
- Add otelcol.exporter.googlecloudpubsub community component to export metrics, traces, and logs to Google Cloud Pub/Sub topic.
- Add structured_metadata_drop stage for loki.process to filter structured metadata.
- Send remote config status to the remote server for the remotecfg service.
- Send effective config to the remote server for the remotecfg service.
- Add a stat_statements configuration block to the prometheus.exporter.postgres component to enable selecting both the query ID and the full SQL statement. The new block includes one option to enable statement selection, and another to configure the maximum length of the statement text.
- Add truncate stage for loki.process to truncate log entries, label values, and structured_metadata values.
- Add u_probe_links & load_probe configuration fields to alloy pyroscope.ebpf to extend configuration of the opentelemetry-ebpf-profiler to allow uprobe profiling and dynamic probing.
- Add verbose_mode configuration fields to alloy pyroscope.ebpf to be enable ebpf-profiler verbose mode.
- Add file_match block to loki.source.file for built-in file discovery using glob patterns.
- Add a regex argument to the structured_metadata stage in loki.process to extract labels matching a regular expression.
- OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.
- See the upstream core and contrib changelogs for more details.
- A new mimir.alerts.kubernetes component which discovers AlertmanagerConfig Kubernetes resources and loads them into a Mimir instance.
- Mark stage.windowsevent block in the loki.process component as GA.
Enhancements
- Add per-application rate limiting with the strategy attribute in the faro.receiver component, to prevent one application from consuming the rate limit quota of others.
- Add support of tls in components loki.source.(awsfirehose|gcplog|heroku|api) and prometheus.receive_http and pyroscope.receive_http.
- Remove SendSIGKILL=no from unit files and recommendations.
- Reduce memory overhead of prometheus.remote_write's WAL by lowering the size of the allocated series storage.
- Reduce lock wait/contention on the labelstore.LabelStore by removing unecessary usage from prometheus.relabel.
- prometheus.exporter.postgres dependency has been updated to v0.18.1.
- Update Beyla component to 2.7.8.
- Support delimiters in stage.luhn.
- pyroscope.java: update async-profiler to 4.2.
- prometheus.exporter.unix: Add an arp config block to configure the ARP collector.
- prometheus.exporter.snowflake dependency has been updated to 20251016132346-6d442402afb2.
- loki.source.podlogs now supports preserve_discovered_labels parameter to preserve discovered pod metadata labels for use by downstream components.
- Rework underlying framework of Alloy UI to use Vite instead of Create React App.
- Use POST requests for remote config requests to avoid hitting http2 header limits.
- loki.source.api during component shutdown will now reject all the inflight requests with status code 503 after graceful_shutdown_timeout has expired.
- kubernetes.discovery: Add support for attaching namespace metadata.
- Add meta_cache_address to beyla.ebpf component.
Bugfixes
- Stop loki.source.kubernetes discarding log lines with duplicate timestamps.
- Fix direction of arrows for pyroscope components in UI graph.
- Only log EOF errors for syslog port investigations in loki.source.syslog as Debug, not Warn.
- Fix prometheus.exporter.process ignoring the remove_empty_groups argument.
- Fix issues with "unknown series ref when trying to add exemplar" from prometheus.remote_write by allowing series ref links to be updated if they change.
- Fix loki.source.podlogs component to register the Kubernetes field index for spec.nodeName when node filtering is enabled, preventing "Index with name field:spec.nodeName does not exist" errors.
- Fix issue in loki.source.file where scheduling files could take too long.
- Fix loki.write no longer includes internal labels __.
- Fix missing native histograms custom buckets (NHCB) samples from prometheus.remote_write.
- otelcol.receiver.prometheus now supports mixed histograms if prometheus.scrape has honor_metadata set to true.
- loki.source.file has better support for non-UTF-8 encoded files.
- Fix the loki.write endpoint block's enable_http2 attribute to actually affect the client.
- Optionally remove trailing newlines before appending entries in stage.multiline.
- loki.source.api no longer drops request when relabel rules drops a specific stream.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-28=1

Package List:

Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
- alloy-debuginfo-1.12.1-150700.15.12.1
- alloy-1.12.1-150700.15.12.1

Security update for alloy

Description:

Patch Instructions:

Package List:

References: