{"affected":[{"ecosystem_specific":{"binaries":[{"golang-github-prometheus-alertmanager":"0.26.0-150100.4.19.1"}]},"package":{"ecosystem":"SUSE:Manager Client Tools 15","name":"golang-github-prometheus-alertmanager","purl":"pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.26.0-150100.4.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"golang-github-prometheus-alertmanager":"0.26.0-150100.4.19.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Package Hub 15 SP5","name":"golang-github-prometheus-alertmanager","purl":"pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.26.0-150100.4.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"golang-github-prometheus-alertmanager":"0.26.0-150100.4.19.1"}]},"package":{"ecosystem":"SUSE:Manager Proxy Module 4.3","name":"golang-github-prometheus-alertmanager","purl":"pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Proxy%20Module%204.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.26.0-150100.4.19.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"golang-github-prometheus-alertmanager":"0.26.0-150100.4.19.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"golang-github-prometheus-alertmanager","purl":"pkg:rpm/opensuse/golang-github-prometheus-alertmanager&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.26.0-150100.4.19.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for golang-github-prometheus-alertmanager fixes the following issues:\n    \ngolang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0 (jsc#PED-7353):\n\n- Version 0.26.0:\n  * Security fixes:\n    +  CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)\n  * Other changes and bugs fixed:\n    + Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash\n    + Templating: Fixed a race condition when using the title function. It is now race-safe\n    + API: Fixed duplicate receiver names in the api/v2/receivers API endpoint\n    + API: Attempting to delete a silence now returns the correct status code, 404 instead of 500\n    + Clustering: Fixes a panic when tls_client_config is empty\n    + Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text\n    + Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the\n      alert delivery\n    + Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster\n    + Integrations: Add Microsoft Teams as a supported integration\n- Version 0.25.0:\n  * Fail configuration loading if api_key and api_key_file are defined at the same time\n  * Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new\n    alertmanager_marked_alerts metric that retain the old behavior\n  * Trim contents of Slack API URLs when reading from files\n  * amtool: Avoid panic when the label value matcher is empty\n  * Fail configuration loading if api_url is empty for OpsGenie\n  * Fix email template for resolved notifications\n  * Add proxy_url support for OAuth2 in HTTP client configuration\n  * Reload TLS certificate and key from disk when updated\n  * Add Discord integration\n  * Add Webex integration\n  * Add min_version support to select the minimum TLS version in HTTP client configuration\n  * Add max_version support to select the maximum TLS version in HTTP client configuration\n  * Emit warning logs when truncating messages in notifications\n  * Support HEAD method for the /-/healty and /-/ready endpoints\n  * Add support for reading global and local SMTP passwords from files\n  * UI: Add 'Link' button to alerts in list\n  * UI: Allow to choose the first day of the week as Sunday or Monday\n- Version 0.24.0:\n  * Fix HTTP client configuration for the SNS receiver\n  * Fix unclosed file descriptor after reading the silences snapshot file\n  * Fix field names for mute_time_intervals in JSON marshaling\n  * Ensure that the root route doesn't have any matchers\n  * Truncate the message's title to 1024 chars to avoid hitting Slack limits\n  * Fix the default HTML email template (email.default.html) to match with the canonical source\n  * Detect SNS FIFO topic based on the rendered value\n  * Avoid deleting and recreating a silence when an update is possible\n  * api/v2: Return 200 OK when deleting an expired silence\n  * amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to\n    be (current time + duration). The new behavior is consistent with the update operation\n  * Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code\n  * Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS\n  * Add Telegram integration\n","id":"SUSE-SU-2024:0512-1","modified":"2024-02-15T13:43:08Z","published":"2024-02-15T13:43:08Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20240512-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1218838"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-40577"}],"related":["CVE-2023-40577"],"summary":"Security update for golang-github-prometheus-alertmanager","upstream":["CVE-2023-40577"]}