SUSE-SU-2026:2438-1: important: Security update for alloy
SLE-UPDATES
null at suse.de
Wed Jun 17 20:30:18 UTC 2026
# Security update for alloy
Announcement ID: SUSE-SU-2026:2438-1
Release Date: 2026-06-17T14:45:02Z
Rating: important
References:
* bsc#1258099
* bsc#1258609
* bsc#1259919
* bsc#1260317
* bsc#1262955
* bsc#1263530
* jsc#PED-14815
Cross-References:
* CVE-2026-25934
* CVE-2026-26958
* CVE-2026-33186
* CVE-2026-34986
* CVE-2026-41602
* CVE-2026-4427
CVSS scores:
* CVE-2026-25934 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-25934 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25934 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-25934 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-26958 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2026-26958 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
* CVE-2026-26958 ( NVD ): 1.7
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-33186 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-33186 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-33186 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-34986 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-34986 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-34986 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41602 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41602 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41602 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4427 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-4427 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-4427 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* Basesystem Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves six vulnerabilities and contains one feature can now be
installed.
## Description:
This update for alloy fixes the following issues
Security issues:
* CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field
length allows a malicious PostgreSQL server to crash a client application
via a DataRow message (bsc#1259919).
* CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data
integrity values for .pack and .idx files can lead to the consumption of
corrupted files (bsc#1258099).
* CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in
MultiScalarMult can produce invalid results and lead to undefined behavior
(bsc#1258609).
* CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper
validation of the HTTP/2: path pseudo- header (bsc#1260317).
* CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a
missing encrypted key can lead to a denial of service (bsc#1262955).
* CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size
headers can lead to a uint32 integer overflow (bsc#1263530).
Non security issue:
* Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815).
* Update to version 1.16.1
* Bug Fixes logging: Fix startup deadlock when components log before logging
config is evaluated Update to Beyla 3.9.8 Migrate from Docker to Moby
* Use latest openSUSE Tumbleweed image for building web UI assets
* Install nvm to set node version specified upstream
* update to 1.16.0:
* Features
* Add clustering for loki.source.kubernetes_events (#6027) (3dbf587)
(@petewall)
* Add otelcol.auth.google client auth provider (#5526) (da99a66) (@dashpole,
@clayton-cornell)
* beyla.ebpf: Bump to v3.7.0 (#5966) (5126c2e) (@marctc)
* database_observability: Add support for GCP Cloud SQL metadata (#5875)
(5d23245) (@cristiangreco, @clayton-cornell)
* database_observability: Make targets optional (#5924) (54664b2)
(@matthewnolf)
* database_observability: Update default excluded schemas and users (#6080)
(b386fff) (@cristiangreco)
* faro.receiver: Add sourcemap fetching from remote locations (#4614)
(b6cb5da) (@Oxel40)
* helm: Add support for global.image.pullPolicy (#6069) (2e2ce72) (@petewall)
* helm: Allow configuring image pull policy for config reloader (#5923)
(991539b) (@kalleep)
* loki.secretfilter: Add label_timed_out option to mark timed-out log lines
(#5898) (2ad8834) (@kleimkuhler)
* loki.secretfilter: Add secrets_redacted_by_category_total metric combining
rule and origin (#5855) (053a2f7) (@kleimkuhler)
* loki.secretfilter: Change secretfilter to use go-re2 regex library instead
of stdlib (#5909) (c16a660) (@mikefat)
* loki.secretfilter: Remove redundant secrets_redacted_by_rule_total and
secrets_redacted_by_origin metrics (#5970) (b16decb) (@kleimkuhler)
* Oracle exporter can scrape more than one DB (#6008) (6fbad38) (@ptodev)
* prometheus.exporter.cloudwatch: Upgrade YACE and drop aws-sdk-go v1 support
(#5936) (f1c036d) (@x1unix)
* prometheus.exporter.mysql: Update to mysqld_exporter 0.19.0 (#5836)
(4f49b57) (@cristiangreco)
* prometheus.remote_write: Sync WAL with upstream Prometheus (#5907) (e74a91b)
(@x1unix)
* pyroscope: Add support for extra async-profiler CLI arguments (#5472)
(9251e33) (@ivanape)
* pyroscope: Replace Parca gRPC debuginfo upload with Pyroscope Connect API
(#5891) (e7ea34a) (@korniltsev-grafanista)
* pyroscope: Update debuginfo client for HTTP/1.1 upload API (#6037) (879d8e5)
(@korniltsev-grafanista)
* Change service stop command from 'sc' to 'net' (#5906) (450973d)
(@mateuszdrab)
* database_observability.mysql: Refactor explain plan loop batch size (#5894)
(f0fcd6b) (@cristiangreco)
* database_observability.postgres: Cleanup embedded exporter collectors on
reconnection (#6079) (f30d9ae) (@cristiangreco)
* database_observability.postgres: Fix EXPLAIN param count when placeholders
repeat (#6082) (b612b81) (@rgeyer)
* database_observability: Drop schema_detection from logs (#6076) (b0105cb)
(@cristiangreco)
* database_observability: Ensure connection_info_monitor goroutine exits on
Stop (#5874) (1e3334b) (@cristiangreco)
* deps: Update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3
[SECURITY] (#6004) (38f4346)
* deps: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]
(#5934) (a5154af)
* deps: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY]
(#6090) (0e59d64)
* deps: Update module github.com/nwaples/rardecode/v2 to v2.2.0 [SECURITY]
(b44d51a) (@jharvey10)
* deps: Update module
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0
[SECURITY] (#6016) (d92c5c0)
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0
[SECURITY] (#6017) (e655bbc)
* deps: Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY]
(#6018) (94006e8)
* deps: Update some minor go dep versions (#5896) (4ddd0ed) (@jharvey10)
* go: Update alloy builder image to Go 1.25.9 (#6012) (d2ae8b8) (@x1unix)
* go: Upgrade to Go 1.25.9 (#6019) (d777ed1) (@x1unix, @kalleep)
* Helm: RBAC template handles empty rule arrays (#4860) (c9430e9) (@naptalie,
@dehaansa, @kalleep)
* loki.process: Eliminate per-stream goroutines in multiline stage (#6036)
(c089e2e) (@kgeckhart)
* loki.process: Prevent stage.structured_metadata from adding the same
metadata several times (#5965) (0ec8a26) (@kalleep, @thampiotr)
* loki.process: Wrap template in a custom type and move validation to
syntax.Validator (#5910) (700dd7d) (@kalleep)
* prometheus.exporter.postgres: Close DB connections on update (#6021)
(8da97cf) (@kalleep)
* prometheus.scrape: Update scrape_native_histograms to be updated at runtime
(#6087) (18b205c) (@kalleep)
* pyroscope.ebpf: Fix deadlock on LRU eviction in irsymcache (#5911) (03ca563)
(@luweglarz)
* pyroscope.ebpf: Move Pyroscope ebpf metrics registration after component
error handling (#5540) (a3c57c0) (@crbednarz, @marcsanmi)
* pyroscope: Set user agent on debuginfo connect-go client (#6022) (38ad1ef)
(@korniltsev-grafanista)
* ui: Large arguments are downloaded as files instead of rendered (#5268)
(26c67b3) (@ptodev)
* Update go-m1cpu v0.1.7 -> v0.2.1 to fix M5 chip crash (#6034) (7fa0cbc)
(@ymotongpoo)
* windows-installer: Increase service restart on failure delays (#5969)
(add15b1) (@rknightion)
* add script to package webassets inside a podman container, to not endanger
or pollute the host system with npm
* update to 1.15.1: goroutine exits on Stop
* CVE-2026-34986: Fix panic in JWE decryption (bsc#1262955)
* update to 1.15.0:
* BREAKING CHANGES
* otelcol: Upgrade to OTel Collector v0.147.0
* Renamed undocumented metrics that was previously prefixed with
<component_id><metric_name> to loki_source_awsfirehose<metric_name>
* Security CVE-2026-26958: Update filippo.io/edwards25519 to version 1.1.1
(bsc#1258609).
* alloy-mixin: Add filters, groupBy, and multi-select dashboard variables
* beyla.ebpf: Add support for Prometheus native histograms
* beyla.ebpf: Bump Beyla to v3.6
* converters: Support converting Promtail limits_config
* database_observability.mysql: Add filtering of query samples and wait events
by minimum duration
* database_observability.mysql: Embed prometheus exporter within db-o11y
component
* database_observability.postgres: Add configurable limit to
pg_stat_statements query
* database_observability.postgres: Embed prometheus exporter
* database_observability: Promote components to stable
* Expose Functionality to Handle syslogs with Empty MSG Field
* loki.process: Support structured metadata as source type of stage.labels for
loki.process
* loki.secretfilter: Add sampling for secretfilter entries
* loki.source.gcplog: Add alloy config for MaxOutstandingBytes and
MaxOutstandingMessages
* loki.write: Add loki pipeline latency metric
* mixin: Update loki dashboard
* otelcol.receiver.datadog: Expose intake proxy and trace_id_cache_size
settings
* prometheus.exporter.cloudwatch: Use aws-sdk-go-v2 by default
* pyroscope.ebpf: Add comm, pid labels and kernel frame options
* update to 1.14.1:
* Correctly handle the deprecated topic field in otelcol.receiver.kafka
configuration
* loki.process: Protect against json that does not look like docker json
format
* loki.source.file: Keep positions for compressed files when reading is
finished
* prometheus.scrape: Update arguments and targets even if
scrape_native_histograms and extra_metrics are updated
* update to 1.14.0:
* loki.secretfilter: Some config options are removed entirely: partial_mask
(replaced with redact_percent), allowlist (now controlled with custom
gitleaks config), enable_entropy, include_generic, types (now controlled
with custom gitleaks config).
* otelcol.receiver.prometheus: otelcol.receiver.prometheus no longer sets
start times of OTLP metrics.
* Security:
* update to 1.13.2:
* Expose missing otelcol.processor.tail_sampling options
* mixin: Add zipped dashboards as a release artifact
* profiler: Backport Go 1.26 gopclntab textStart fix
* prometheus.exporter.postgres: Update version of the exporter fork to fix
pg_settings
* pyroscope.ebpf: Backport dotnet nibble map fix
* update to 1.13.1:
* timeout before starting new ones
* update to 1.13.0:
* otelcol: Upgrade to OTel Collector v0.142.0
* otelcol.receiver.kafka: The global topic attribute has been deleted; use the
topics attributes inside the logs, metrics, and traces blocks instead.
* otelcol.exporter > sending_queue > batch > min_size changed from 8192 to
2000 and max_size changed from 0 to 3000
* Add a virtual_node_peer_attributes and virtual_node_extra_label arguments to
otelcol.connector.servicegraph
* Add an otelcol.processor.metric_start_time component
* Add job level period, length, and add_cloudwatch_timestamp options and
labels_snake_case to CW exporter
* Add missing configuration parameter deployment_name_from_replicaset to
k8sattributes processor
* Add parcas symbols upload to pyroscope.ebpf
* Add sharding for loki.write
* Add unexposed otel engine and extension to codebase and change build
structure
* beyla.ebpf: Add meta_cache_address to beyla.ebpf.attributes.kubernetes
* beyla.ebpf: Upgrade Beyla to v2.8.5
* Change the defaults for sending_queue > batch block inside otelcol.exporter
components
* cluster: Support DNS discovery mode prefixes in \--cluster.join-addresses
flag
* converter: Update promtail converter to use file_match block for
loki.source.file
* database_observability: Add health check collector for postgres component
* database_observability: Expose exclude_schemas and exclude_databases
settings
* database_observability: Support Azure cloud provider config data
* database_observability.mysql: Support excluding schemas in all collectors
* database_observability.postgres: Support excluding DBs in all collectors
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2438=1
## Package List:
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* alloy-debuginfo-1.16.1-150700.15.20.1
* alloy-1.16.1-150700.15.20.1
## References:
* https://www.suse.com/security/cve/CVE-2026-25934.html
* https://www.suse.com/security/cve/CVE-2026-26958.html
* https://www.suse.com/security/cve/CVE-2026-33186.html
* https://www.suse.com/security/cve/CVE-2026-34986.html
* https://www.suse.com/security/cve/CVE-2026-41602.html
* https://www.suse.com/security/cve/CVE-2026-4427.html
* https://bugzilla.suse.com/show_bug.cgi?id=1258099
* https://bugzilla.suse.com/show_bug.cgi?id=1258609
* https://bugzilla.suse.com/show_bug.cgi?id=1259919
* https://bugzilla.suse.com/show_bug.cgi?id=1260317
* https://bugzilla.suse.com/show_bug.cgi?id=1262955
* https://bugzilla.suse.com/show_bug.cgi?id=1263530
* https://jira.suse.com/browse/PED-14815
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260617/aa0dbb78/attachment.htm>
More information about the sle-updates
mailing list