Detections
Analytics

SUSE SLED15 / SLES15 Security Update : alloy (SUSE-SU-2026:0028-1)

high Nessus Plugin ID 281835

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0028-1 advisory.

 Upgrade to version 1.12.1.

 Security issues fixed:

 - CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents (bsc#1251509).
 - CVE-2025-47913: golang.org/x/crypto: early client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253609).
 - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251716).

 Other updates and bugfixes:

 - Version 1.12.1:
 * Bugfixes
 - update to Beyla 2.7.10.

 - Version 1.12.0:
 * Breaking changes
 - `prometheus.exporter.blackbox`, `prometheus.exporter.snmp` and `prometheus.exporter.statsd` now use the component ID instead of the hostname as their instance label in their exported metrics.
 * Features
 - (Experimental) Add an `otelcol.receiver.cloudflare` component to receive logs pushed by Cloudflare's LogPush jobs.
 - (Experimental) Additions to experimental `database_observability.mysql` component:
 - `explain_plans`
 - collector now changes schema before returning the connection to the pool.
 - collector now passes queries more permissively.
 - enable `explain_plans` collector by default
 - (Experimental) Additions to experimental `database_observability.postgres` component:
 - `explain_plans`
 - added the explain plan collector.
 - collector now passes queries more permissively.
 - `query_samples`
 - add user field to wait events within `query_samples` collector.
 - rework the query samples collector to buffer per-query execution state across scrapes and emit finalized entries.
 - process turned idle rows to calculate finalization times precisely and emit first seen idle rows.
 - `query_details`
 - escape queries coming from `pg_stat_statements` with quotes.
 - enable `explain_plans` collector by default.
 - safely generate `server_id` when UDP socket used for database connection.
 - add table registry and include 'validated' in parsed table name logs.
 - Add `otelcol.exporter.googlecloudpubsub` community component to export metrics, traces, and logs to Google Cloud Pub/Sub topic.
 - Add `structured_metadata_drop` stage for `loki.process` to filter structured metadata.
 - Send remote config status to the remote server for the `remotecfg` service.
 - Send effective config to the remote server for the `remotecfg` service.
 - Add a `stat_statements` configuration block to the `prometheus.exporter.postgres` component to enable selecting both the query ID and the full SQL statement. The new block includes one option to enable statement selection, and another to configure the maximum length of the statement text.
 - Add truncate stage for `loki.process` to truncate log entries, label values, and `structured_metadata` values.
 - Add `u_probe_links` & `load_probe` configuration fields to alloy `pyroscope.ebpf` to extend configuration of the `opentelemetry-ebpf-profiler` to allow uprobe profiling and dynamic probing.
 - Add `verbose_mode` configuration fields to `alloy pyroscope.ebpf` to be enable `ebpf-profiler` verbose mode.
 - Add `file_match` block to `loki.source.file` for built-in file discovery using glob patterns.
 - Add a regex argument to the `structured_metadata` stage in `loki.process` to extract labels matching a regular expression.
 - OpenTelemetry Collector dependencies upgraded from v0.134.0 to v0.139.0.
 - See the upstream [core](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.139.0/CHANGELOG.md) and [contrib](https://github.com/open-telemetry/opentelemetry-collector- contrib/blob/v0.139.0/CHANGELOG.md) changelogs for more details.
 - A new `mimir.alerts.kubernetes` component which discovers AlertmanagerConfig Kubernetes resources and loads them into a Mimir instance.
 - Mark `stage.windowsevent` block in the `loki.process` component as GA.
 * Enhancements
 - Add per-application rate limiting with the strategy attribute in the `faro.receiver` component, to prevent one application from consuming the rate limit quota of others.
 - Add support of tls in components `loki.source.(awsfirehose|gcplog|heroku|api)` and `prometheus.receive_http` and `pyroscope.receive_http`.
 - Remove `SendSIGKILL=no` from unit files and recommendations.
 - Reduce memory overhead of `prometheus.remote_write`'s WAL by lowering the size of the allocated series storage.
 - Reduce lock wait/contention on the `labelstore.LabelStore` by removing unecessary usage from `prometheus.relabel`.
 - `prometheus.exporter.postgres` dependency has been updated to v0.18.1.
 - Update Beyla component to 2.7.8.
 - Support delimiters in `stage.luhn`.
 - `pyroscope.java`: update `async-profiler` to 4.2.
 - `prometheus.exporter.unix`: Add an arp config block to configure the ARP collector.
 - `prometheus.exporter.snowflake` dependency has been updated to 20251016132346-6d442402afb2.
 - `loki.source.podlogs` now supports `preserve_discovered_labels` parameter to preserve discovered pod metadata labels for use by downstream components.
 - Rework underlying framework of Alloy UI to use Vite instead of Create React App.
 - Use POST requests for remote config requests to avoid hitting http2 header limits.
 - `loki.source.api` during component shutdown will now reject all the inflight requests with status code 503 after `graceful_shutdown_timeout` has expired.
 - `kubernetes.discovery`: Add support for attaching namespace metadata.
 - Add `meta_cache_address` to `beyla.ebpf` component.
 * Bugfixes
 - Stop `loki.source.kubernetes` discarding log lines with duplicate timestamps.
 - Fix direction of arrows for pyroscope components in UI graph.
 - Only log EOF errors for syslog port investigations in `loki.source.syslog` as Debug, not Warn.
 - Fix `prometheus.exporter.process` ignoring the `remove_empty_groups` argument.
 - Fix issues with 'unknown series ref when trying to add exemplar' from `prometheus.remote_write` by allowing series ref links to be updated if they change.
 - Fix `loki.source.podlogs` component to register the Kubernetes field index for `spec.nodeName` when node filtering is enabled, preventing 'Index with name `field:spec.nodeName` does not exist' errors.
 - Fix issue in `loki.source.file` where scheduling files could take too long.
 - Fix `loki.write` no longer includes internal labels __.
 - Fix missing native histograms custom buckets (NHCB) samples from `prometheus.remote_write`.
 - `otelcol.receiver.prometheus` now supports mixed histograms if `prometheus.scrape` has `honor_metadata` set to true.
 - `loki.source.file` has better support for non-UTF-8 encoded files.
 - Fix the `loki.write` endpoint block's `enable_http2` attribute to actually affect the client.
 - Optionally remove trailing newlines before appending entries in `stage.multiline`.
 - `loki.source.api` no longer drops request when relabel rules drops a specific stream.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected alloy package.

See Also

https://bugzilla.suse.com/1251509

https://bugzilla.suse.com/1251716

https://bugzilla.suse.com/1253609

http://www.nessus.org/u?d36d3257

https://www.suse.com/security/cve/CVE-2025-47911

https://www.suse.com/security/cve/CVE-2025-47913

https://www.suse.com/security/cve/CVE-2025-58190

Plugin Details

Severity: High

ID: 281835

File Name: suse_SU-2026-0028-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/6/2026

Updated: 1/6/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-47913

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:alloy, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 1/5/2026

Vulnerability Publication Date: 10/23/2025

Reference Information

CVE: CVE-2025-47911, CVE-2025-47913, CVE-2025-58190

SuSE: SUSE-SU-2026:0028-1