Update module github.com/prometheus/alertmanager to v0.25.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/prometheus/alertmanager	v0.24.0 -> v0.25.1

GitHub Vulnerability Alerts

CVE-2023-40577

Impact

An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.

Patches

Users can upgrade to Alertmanager v0.2.51.

Workarounds

Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

References

N/A

---

Release Notes

prometheus/alertmanager (github.com/prometheus/alertmanager)

v0.25.1: 0.25.1 / 2023-08-23

Compare Source

• [SECURITY] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (CVE-2023-40577).

v0.25.0: 0.25.0 / 2022-12-22

Compare Source

• [CHANGE] Change the default parse_mode value from MarkdownV2 to HTML for Telegram. #​2981
• [CHANGE] Make api_url field optional for Telegram. #​2981
• [CHANGE] Use CanonicalMIMEHeaderKey instead of TitleCasing for email headers. #​3080
• [CHANGE] Reduce the number of notification logs broadcasted between peers by expiring them after (2 * repeat interval). #​2982
• [FEATURE] Add proxy_url support for OAuth2 in HTTP client configuration. #​3010
• [FEATURE] Reload TLS certificate and key from disk when updated. #​3168
• [FEATURE] Add Discord integration. #​2948
• [FEATURE] Add Webex integration. #​3132
• [ENHANCEMENT] Add --web.systemd-socket flag to systemd socket activation listeners instead of port listeners (Linux only). #​3140
• [ENHANCEMENT] Add enable_http2 support in HTTP client configuration. #​3010
• [ENHANCEMENT] Add min_version support to select the minimum TLS version in HTTP client configuration. #​3010
• [ENHANCEMENT] Add max_version support to select the maximum TLS version in HTTP client configuration. #​3168
• [ENHANCEMENT] Emit warning logs when truncating messages in notifications. #​3145
• [ENHANCEMENT] Add --data.maintenance-interval flag to define the interval between the garbage collection and snapshotting to disk of the silences and the notification logs. #​2849
• [ENHANCEMENT] Support HEAD method for the /-/healty and /-/ready endpoints. #​3039
• [ENHANCEMENT] Truncate messages with the … ellipsis character instead of the 3-dots string .... #​3072
• [ENHANCEMENT] Add support for reading global and local SMTP passwords from files. #​3038
• [ENHANCEMENT] Add Location support to time intervals. #​2782
• [ENHANCEMENT] UI: Add 'Link' button to alerts in list. #​2880
• [ENHANCEMENT] Add the source field to the PagerDuty configuration. #​3106
• [ENHANCEMENT] Add support for reading PagerDuty routing and service keys from files. #​3107
• [ENHANCEMENT] Log response details when notifications fail for Webhooks, Pushover and VictorOps. #​3103
• [ENHANCEMENT] UI: Allow to choose the first day of the week as Sunday or Monday. #​3093
• [ENHANCEMENT] Add support for reading VictorOps API key from file. #​3111
• [ENHANCEMENT] Support templating for Opsgenie's responder type. #​3060
• [BUGFIX] Fail configuration loading if api_key and api_key_file are defined at the same time. #​2910
• [BUGFIX] Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior. #​2943
• [BUGFIX] Trim contents of Slack API URLs when reading from files. #​2929
• [BUGFIX] amtool: Avoid panic when the label value matcher is empty. #​2968
• [BUGFIX] Fail configuration loading if api_url is empty for OpsGenie. #​2910
• [BUGFIX] Fix email template for resolved notifications. #​3166
• [BUGFIX] Use the HTML template engine when the parse mode is HTML for Telegram. #​3183

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: go.opentelemetry.io/contrib/[email protected]: reading go.opentelemetry.io/contrib/propagators/go.mod at revision propagators/v1.0.0: unknown revision propagators/v1.0.0