This update fixes the following issues:
golang-github-prometheus-prometheus:
- CVE-2026-27606: Fix arbitrary file write via path traversal in
rollup (bsc#1258893)
- Bump rollup to version 4.59.0
- Drop SLE 12 support (jsc#PED-15474)
- CVE-2026-25547: Fix unbounded brace range expansion leading to
excessive CPU and memory consumption (bsc#1257841):
- Bump brace-expansion to version 5.0.2
- Do not build old web UI. Fixes following security
vulnerabilities:
- CVE-2026-1615: jsonpath: arbitrary code injection due to unsafe
evaluation of user-supplied JSON Path expressions (bsc#1257897)
- CVE-2025-61140: jsonpath: the
value function is vulnerable to
prototype pollution (bsc#1257442)
- Set source URL in the spec file and drop tar service
grafana:
- Drop support for SLE 12 (jsc#PED-15474)
- Update to version 11.6.11:
Features and enhancements:
- Alerting: Add limits for the size of expanded notification
templates
- Correlations: Remove support for org_id=0
Security:
- CVE-2026-21722: Public dashboards annotations: use dashboard
timerange if time selection disabled (bsc#1258136)
- Update to version 11.6.10:
- API: Add missing scope check on dashboards
- Avatar: Require sign-in, remove queue, respect timeout
Bug fixes:
- Alerting: Fix a race condition panic in ResetStateByRuleUID
- Update to version 11.6.9:
- Plugins: Add PluginContext to plugins when scenes is disabled
- Alerting: Fix contacts point issues
- Update to version 11.6.8:
- Alerting: Fix unmarshalling of GettableStatus to include time
intervals
- Update to version 11.6.7:
- Auth: Fix render user OAuth passthrough
- LDAP Authentication: Fix URL to propagate username context as
parameter
- Plugins: Dependencies do not inherit parent URL for preinstall
- URLParams: Stringify true values as key=true always (fixes
issues with variables with true value)
- Update to version 11.6.6:
- Alerting: Fix copying of recording rule fields
- Fix...