Security update for golang-github-prometheus-prometheus

Announcement ID:	SUSE-SU-2025:01990-1
Release Date:	2025-06-18T02:12:03Z
Rating:	moderate
References:	bsc#1208752 bsc#1236516 bsc#1238686 jsc#MSQA-992 jsc#PED-11740
Cross-References:	CVE-2023-45288 CVE-2025-22870
CVSS scores:	CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Affected Products:	openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module SUSE Manager Retail Branch Server 4.3 SUSE Package Hub 15 15-SP6 SUSE Package Hub 15 15-SP7

An update that solves two vulnerabilities, contains two features and has one security fix can now be installed.

Description:

This update for golang-github-prometheus-prometheus fixes the following issues:

• Security issues fixed:
• CVE-2023-45288: Require Go >= 1.23 for building (bsc#1236516)

• CVE-2025-22870: Bump golang.org/x/net to version 0.39.0 (bsc#1238686)

• Version was updated to 2.53.4 with the following bug fixes:

• Runtime: fix GOGC is being set to 0 when installed with empty prometheus.yml file resulting high cpu usage
• Scrape: fix dropping valid metrics after previous scrape failed

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2025-1990=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-1990=1
• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-1990=1
• SUSE Manager Proxy 4.3 Module
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2025-1990=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
  • firewalld-prometheus-config-0.1-150100.4.26.2
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
• SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
  • golang-github-prometheus-prometheus-debuginfo-2.53.4-150100.4.26.2
• SUSE Manager Proxy 4.3 Module (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.53.4-150100.4.26.2

References:

• https://www.suse.com/security/cve/CVE-2023-45288.html
• https://www.suse.com/security/cve/CVE-2025-22870.html
• https://bugzilla.suse.com/show_bug.cgi?id=1208752
• https://bugzilla.suse.com/show_bug.cgi?id=1236516
• https://bugzilla.suse.com/show_bug.cgi?id=1238686
• https://jira.suse.com/browse/MSQA-992
• https://jira.suse.com/browse/PED-11740