This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Internal changes to fix build issues with no impact for customers
golang-github-prometheus-prometheus:
-
Security issues fixed:
- CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
- Bumped rollup to version 4.59.0
- CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
- Bumped brace-expansion to version 5.0.2
- CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
- CVE-2025-13465: Bumped lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
- CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260267)
- Bumped google.golang.org/grpc to version 1.79.3
grafana:
-
Security issues fixed:
- CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
- CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
- CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
- CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)
- CVE-2026-26958: Bumped filippo.io/edwards25519 to version 1.1.1 (bsc#1258595)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
- CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)
- CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)
- CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
- CVE-2026-33186: Fixed...