<div class="container">
<h1>Security update for golang-github-prometheus-prometheus</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20232-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-02-05T10:44:24Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255588">bsc#1255588</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257329">bsc#1257329</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-13824">jsc#PED-13824</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-12816.html">CVE-2025-12816</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-13465.html">CVE-2025-13465</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-12816</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-12816</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13465</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13465</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13465</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for golang-github-prometheus-prometheus fixes the following issues:</p>
<p>Update to version 3.5.0:</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-13465: prototype pollution in the <em>.unset and </em>.omit functions can lead to deletion of methods from global (bsc#1257329).</li>
<li>CVE-2025-12816: interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>
<p>Update to 3.5.0 (jsc#PED-13824):</p>
</li>
<li>
<p>[FEATURE] Remote-write: Add support for Azure Workload Identity
as an authentication method for the receiver.</p>
</li>
<li>[FEATURE] PromQL: Add first_over_time(...) and
ts_of_first_over_time(...) behind feature flag.</li>
<li>[FEATURE] Federation: Add support for native histograms with
custom buckets (NHCB).</li>
<li>[ENHANCEMENT] PromQL: Add warn-level annotations for counter
reset conflicts in certain histogram operations.</li>
<li>
<p>[ENHANCEMENT] UI: Add scrape interval and scrape timeout to
targets page.</p>
</li>
<li>
<p>Update to 3.4.0:</p>
</li>
<li>
<p>Add unified AWS service discovery for ec2, lightsail and ecs services.</p>
</li>
<li>[FEATURE] Native histograms are now a stable, but optional
feature.</li>
<li>[FEATURE] UI: Show detailed relabeling steps for each
discovered target.</li>
<li>[ENHANCEMENT] Alerting: Add "unknown" state for alerting rules
that haven't been evaluated yet.</li>
<li>
<p>[BUGFIX] Scrape: Fix a bug where scrape cache would not be
cleared on startup.</p>
</li>
<li>
<p>Update to 3.3.0:</p>
</li>
<li>
<p>[FEATURE] Spring Boot 3.3 includes support for the Prometheus
Client 1.x.</p>
</li>
<li>
<p>[ENHANCEMENT] Dependency management for Dropwizard Metrics has
been removed.</p>
</li>
<li>
<p>Update to 3.2.0:</p>
</li>
<li>
<p>[FEATURE] OAuth2: support jwt-bearer grant-type (RFC7523 3.1).</p>
</li>
<li>[ENHANCEMENT] PromQL: Reconcile mismatched NHCB bounds in Add
and Sub.</li>
<li>
<p>[BUGFIX] TSDB: Native Histogram Custom Bounds with a NaN
threshold are now rejected.</p>
</li>
<li>
<p>Update to 3.1.0:</p>
</li>
<li>
<p>[FEATURE] Remote-write 2 (receiving): Update to 2.0-rc.4 spec.
"created timestamp" (CT) is now called "start timestamp" (ST).</p>
</li>
<li>
<p>[BUGFIX] Mixin: Add static UID to the remote-write dashboard.</p>
</li>
<li>
<p>Update to 3.0.1:</p>
</li>
<li>
<p>[BUGFIX] Promql: Make subqueries left open.</p>
</li>
<li>[BUGFIX] Fix memory leak when query log is enabled.</li>
<li>
<p>[BUGFIX] Support utf8 names on /v1/label/:name/values endpoint.</p>
</li>
<li>
<p>Update to 3.0.0:</p>
</li>
<li>
<p>[CHANGE] Deprecated feature flags removed.</p>
</li>
<li>[FEATURE] New UI.</li>
<li>[FEATURE] Remote Write 2.0.</li>
<li>[FEATURE] OpenTelemetry Support.</li>
<li>[FEATURE] UTF-8 support is now stable and enabled by default.</li>
<li>[FEATURE] OTLP Ingestion.</li>
<li>[FEATURE] Native Histograms.</li>
<li>[BUGFIX] PromQL: Fix count_values for histograms.</li>
<li>[BUGFIX] TSDB: Fix race on stale values in headAppender.</li>
<li>
<p>[BUGFIX] UI: Fix selector / series formatting for empty metric
names.</p>
</li>
<li>
<p>Update to 2.55.0:</p>
</li>
<li>
<p>[FEATURE] PromQL: Add <code>last_over_time</code> function.</p>
</li>
<li>[FEATURE] Agent: Add <code>prometheus_agent_build_info</code> metric.</li>
<li>[ENHANCEMENT] PromQL: Optimise <code>group()</code> and <code>group by()</code>.</li>
<li>[ENHANCEMENT] TSDB: Reduce memory usage when loading blocks.</li>
<li>
<p>[BUGFIX] Scrape: Fix a bug where a target could be scraped
multiple times.</p>
</li>
<li>
<p>Update to 2.54.0:</p>
</li>
<li>
<p>[CHANGE] Remote-Write: highest_timestamp_in_seconds and
queue_highest_sent_timestamp_seconds metrics now initialized to
0.</p>
</li>
<li>[CHANGE] API: Split warnings from info annotations in API
response.</li>
<li>[FEATURE] Remote-Write: Version 2.0 experimental, plus metadata
in WAL via feature flag.</li>
<li>[FEATURE] PromQL: add limitk() and limit_ratio() aggregation
operators.</li>
<li>[ENHANCEMENT] PromQL: Accept underscores in literal numbers.</li>
<li>[ENHANCEMENT] PromQL: float literal numbers and durations are
now interchangeable (experimental).</li>
<li>[ENHANCEMENT] PromQL (experimental native histograms): Optimize
histogram_count and histogram_sum functions.</li>
<li>[BUGFIX] PromQL: Fix various issues with native histograms.</li>
<li>[BUGFIX] TSDB: Fix race on stale values in headAppender.</li>
<li>[BUGFIX] OTLP receiver: Allow colons in non-standard units.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-243=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-243=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>golang-github-prometheus-prometheus-3.5.0-160000.1.1</li>
<li>golang-github-prometheus-prometheus-debuginfo-3.5.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
<ul>
<li>golang-github-prometheus-prometheus-3.5.0-160000.1.1</li>
<li>golang-github-prometheus-prometheus-debuginfo-3.5.0-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-12816.html">https://www.suse.com/security/cve/CVE-2025-12816.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-13465.html">https://www.suse.com/security/cve/CVE-2025-13465.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1255588">https://bugzilla.suse.com/show_bug.cgi?id=1255588</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257329">https://bugzilla.suse.com/show_bug.cgi?id=1257329</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-13824">https://jira.suse.com/browse/PED-13824</a>
</li>
</ul>
</div>