<div class="container">
<h1>Security update for alloy</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:0028-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-01-05T12:53:12Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251509">bsc#1251509</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251716">bsc#1251716</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253609">bsc#1253609</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-47911.html">CVE-2025-47911</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-47913.html">CVE-2025-47913</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58190.html">CVE-2025-58190</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-47911</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-47911</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-47913</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-47913</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-47913</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58190</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58190</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for alloy fixes the following issues:</p>
<p>Upgrade to version 1.12.1.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents
(bsc#1251509).</li>
<li>CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in
response to a key listing or signing request (bsc#1253609).</li>
<li>CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by <code>html.ParseFragment</code> when processing specially
crafted input (bsc#1251716).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>Version 1.12.1:</li>
<li>
<p>Bugfixes</p>
<ul>
<li>update to Beyla 2.7.10.</li>
</ul>
</li>
<li>
<p>Version 1.12.0:</p>
</li>
<li>Breaking changes<ul>
<li><code>prometheus.exporter.blackbox</code>, <code>prometheus.exporter.snmp</code> and <code>prometheus.exporter.statsd</code> now use the component
ID instead of the hostname as their instance label in their exported metrics.</li>
</ul>
</li>
<li>Features<ul>
<li>(Experimental) Add an <code>otelcol.receiver.cloudflare</code> component to receive logs pushed by Cloudflare's LogPush
jobs.</li>
<li>(Experimental) Additions to experimental <code>database_observability.mysql</code> component:</li>
<li><code>explain_plans</code><ul>
<li>collector now changes schema before returning the connection to the pool.</li>
<li>collector now passes queries more permissively.</li>
</ul>
</li>
<li>enable <code>explain_plans</code> collector by default</li>
<li>(Experimental) Additions to experimental <code>database_observability.postgres</code> component:</li>
<li><code>explain_plans</code><ul>
<li>added the explain plan collector.</li>
<li>collector now passes queries more permissively.</li>
</ul>
</li>
<li><code>query_samples</code><ul>
<li>add user field to wait events within <code>query_samples</code> collector.</li>
<li>rework the query samples collector to buffer per-query execution state across scrapes and emit finalized
entries.</li>
<li>process turned idle rows to calculate finalization times precisely and emit first seen idle rows.</li>
</ul>
</li>
<li><code>query_details</code><ul>
<li>escape queries coming from <code>pg_stat_statements</code> with quotes.</li>
</ul>
</li>
<li>enable <code>explain_plans</code> collector by default.</li>
<li>safely generate <code>server_id</code> when UDP socket used for database connection.</li>
<li>add table registry and include "validated" in parsed table name logs.</li>
<li>Add <code>otelcol.exporter.googlecloudpubsub</code> community component to export metrics, traces, and logs to Google Cloud
Pub/Sub topic.</li>
<li>Add <code>structured_metadata_drop</code> stage for <code>loki.process</code> to filter structured metadata.</li>
<li>Send remote config status to the remote server for the <code>remotecfg</code> service.</li>
<li>Send effective config to the remote server for the <code>remotecfg</code> service.</li>
<li>Add a <code>stat_statements</code> configuration block to the <code>prometheus.exporter.postgres</code> component to enable selecting
both the query ID and the full SQL statement. The new block includes one option to enable statement selection,
and another to configure the maximum length of the statement text.</li>
<li>Add truncate stage for <code>loki.process</code> to truncate log entries, label values, and <code>structured_metadata</code> values.</li>
<li>Add <code>u_probe_links</code> & <code>load_probe</code> configuration fields to alloy <code>pyroscope.ebpf</code> to extend configuration of
the <code>opentelemetry-ebpf-profiler</code> to allow uprobe profiling and dynamic probing.</li>
<li>Add <code>verbose_mode</code> configuration fields to <code>alloy pyroscope.ebpf</code> to be enable <code>ebpf-profiler</code> verbose mode.</li>
<li>Add <code>file_match</code> block to <code>loki.source.file</code> for built-in file discovery using glob patterns.</li>
<li>Add a regex argument to the <code>structured_metadata</code> stage in <code>loki.process</code> to extract labels matching a regular
expression.</li>
<li>OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.</li>
<li>See the upstream
<a href="https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md">core</a>
and
<a href="https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/v0.139.0/CHANGELOG.md">contrib</a>
changelogs for more details.</li>
<li>A new <code>mimir.alerts.kubernetes</code> component which discovers AlertmanagerConfig Kubernetes resources and loads them
into a Mimir instance.</li>
<li>Mark <code>stage.windowsevent</code> block in the <code>loki.process</code> component as GA.</li>
</ul>
</li>
<li>Enhancements<ul>
<li>Add per-application rate limiting with the strategy attribute in the <code>faro.receiver</code> component, to prevent one
application from consuming the rate limit quota of others.</li>
<li>Add support of tls in components <code>loki.source.(awsfirehose|gcplog|heroku|api)</code> and <code>prometheus.receive_http</code> and
<code>pyroscope.receive_http</code>.</li>
<li>Remove <code>SendSIGKILL=no</code> from unit files and recommendations.</li>
<li>Reduce memory overhead of <code>prometheus.remote_write</code>'s WAL by lowering the size of the allocated series storage.</li>
<li>Reduce lock wait/contention on the <code>labelstore.LabelStore</code> by removing unecessary usage from
<code>prometheus.relabel</code>.</li>
<li><code>prometheus.exporter.postgres</code> dependency has been updated to v0.18.1.</li>
<li>Update Beyla component to 2.7.8.</li>
<li>Support delimiters in <code>stage.luhn</code>.</li>
<li><code>pyroscope.java</code>: update <code>async-profiler</code> to 4.2.</li>
<li><code>prometheus.exporter.unix</code>: Add an arp config block to configure the ARP collector.</li>
<li><code>prometheus.exporter.snowflake</code> dependency has been updated to 20251016132346-6d442402afb2.</li>
<li><code>loki.source.podlogs</code> now supports <code>preserve_discovered_labels</code> parameter to preserve discovered pod metadata
labels for use by downstream components.</li>
<li>Rework underlying framework of Alloy UI to use Vite instead of Create React App.</li>
<li>Use POST requests for remote config requests to avoid hitting http2 header limits.</li>
<li><code>loki.source.api</code> during component shutdown will now reject all the inflight requests with status code 503 after
<code>graceful_shutdown_timeout</code> has expired.</li>
<li><code>kubernetes.discovery</code>: Add support for attaching namespace metadata.</li>
<li>Add <code>meta_cache_address</code> to <code>beyla.ebpf</code> component.</li>
</ul>
</li>
<li>Bugfixes<ul>
<li>Stop <code>loki.source.kubernetes</code> discarding log lines with duplicate timestamps.</li>
<li>Fix direction of arrows for pyroscope components in UI graph.</li>
<li>Only log EOF errors for syslog port investigations in <code>loki.source.syslog</code> as Debug, not Warn.</li>
<li>Fix <code>prometheus.exporter.process</code> ignoring the <code>remove_empty_groups</code> argument.</li>
<li>Fix issues with "unknown series ref when trying to add exemplar" from <code>prometheus.remote_write</code> by allowing
series ref links to be updated if they change.</li>
<li>Fix <code>loki.source.podlogs</code> component to register the Kubernetes field index for <code>spec.nodeName</code> when node
filtering is enabled, preventing "Index with name <code>field:spec.nodeName</code> does not exist" errors.</li>
<li>Fix issue in <code>loki.source.file</code> where scheduling files could take too long.</li>
<li>Fix <code>loki.write</code> no longer includes internal labels __.</li>
<li>Fix missing native histograms custom buckets (NHCB) samples from <code>prometheus.remote_write</code>.</li>
<li><code>otelcol.receiver.prometheus</code> now supports mixed histograms if <code>prometheus.scrape</code> has <code>honor_metadata</code> set to
true.</li>
<li><code>loki.source.file</code> has better support for non-UTF-8 encoded files.</li>
<li>Fix the <code>loki.write</code> endpoint block's <code>enable_http2</code> attribute to actually affect the client.</li>
<li>Optionally remove trailing newlines before appending entries in <code>stage.multiline</code>.</li>
<li><code>loki.source.api</code> no longer drops request when relabel rules drops a specific stream.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Basesystem Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-28=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>alloy-debuginfo-1.12.1-150700.15.12.1</li>
<li>alloy-1.12.1-150700.15.12.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-47911.html">https://www.suse.com/security/cve/CVE-2025-47911.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-47913.html">https://www.suse.com/security/cve/CVE-2025-47913.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58190.html">https://www.suse.com/security/cve/CVE-2025-58190.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251509">https://bugzilla.suse.com/show_bug.cgi?id=1251509</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1251716">https://bugzilla.suse.com/show_bug.cgi?id=1251716</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253609">https://bugzilla.suse.com/show_bug.cgi?id=1253609</a>
</li>
</ul>
</div>