Security update for grafana SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1611-1 Final 1 1 2020-10-04T12:21:08Z current 2020-10-04T12:21:08Z 2020-10-04T12:21:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana This update for grafana fixes the following issues: grafana was updated to version 7.1.5: * Features / Enhancements - Stats: Stop counting the same user multiple times. - Field overrides: Filter by field name using regex. - AzureMonitor: map more units. - Explore: Don't run queries on datasource change. - Graph: Support setting field unit & override data source (automatic) unit. - Explore: Unification of logs/metrics/traces user interface - Table: JSON Cell should try to convert strings to JSON - Variables: enables cancel for slow query variables queries. - TimeZone: unify the time zone pickers to one that can rule them all. - Search: support URL query params. - Grafana-UI: Add FileUpload. - TablePanel: Sort numbers correctly. * Bug fixes - Alerting: remove LongToWide call in alerting. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - Variables: Fixes issue with All variable not being resolved. - Templating: Fixes so texts show in picker not the values. - Templating: Templating: Fix undefined result when using raw interpolation format - TextPanel: Fix content overflowing panel boundaries. - StatPanel: Fix stat panel display name not showing when explicitly set. - Query history: Fix search filtering if null value. - Flux: Ensure connections to InfluxDB are closed. - Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything). - Prometheus: Fix prom links in mixed mode. - Sign In Use correct url for the Sign In button. - StatPanel: Fixes issue with name showing for single series / field results - BarGauge: Fix space bug in single series mode. - Auth: Fix POST request failures with anonymous access - Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable - Templating: Fixed recursive queries triggered when switching dashboard settings view - GraphPanel: Fix annotations overflowing panels. - Prometheus: Fix performance issue in processing of histogram labels. - Datasources: Handle URL parsing error. - Security: Use Header.Set and Header.Del for X-Grafana-User header. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1611 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OKBMAHAY4QQ74KBHCRT4WZCTDLSNZWWW/ E-Mail link for openSUSE-SU-2020:1611-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1044444 SUSE Bug 1044444 https://bugzilla.suse.com/1044933 SUSE Bug 1044933 https://bugzilla.suse.com/1115960 SUSE Bug 1115960 https://bugzilla.suse.com/1170557 SUSE Bug 1170557 https://www.suse.com/security/cve/CVE-2018-19039/ SUSE CVE CVE-2018-19039 page https://www.suse.com/security/cve/CVE-2019-15043/ SUSE CVE CVE-2019-15043 page https://www.suse.com/security/cve/CVE-2020-12245/ SUSE CVE CVE-2020-12245 page https://www.suse.com/security/cve/CVE-2020-13379/ SUSE CVE CVE-2020-13379 page SUSE Package Hub 15 SP1 grafana-7.1.5-bp151.2.1 grafana-7.1.5-bp151.2.1 as a component of SUSE Package Hub 15 SP1 Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. CVE-2018-19039 SUSE Package Hub 15 SP1:grafana-7.1.5-bp151.2.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OKBMAHAY4QQ74KBHCRT4WZCTDLSNZWWW/ https://www.suse.com/security/cve/CVE-2018-19039.html CVE-2018-19039 https://bugzilla.suse.com/1115960 SUSE Bug 1115960 In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. CVE-2019-15043 SUSE Package Hub 15 SP1:grafana-7.1.5-bp151.2.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OKBMAHAY4QQ74KBHCRT4WZCTDLSNZWWW/ https://www.suse.com/security/cve/CVE-2019-15043.html CVE-2019-15043 https://bugzilla.suse.com/1148383 SUSE Bug 1148383 Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. CVE-2020-12245 SUSE Package Hub 15 SP1:grafana-7.1.5-bp151.2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OKBMAHAY4QQ74KBHCRT4WZCTDLSNZWWW/ https://www.suse.com/security/cve/CVE-2020-12245.html CVE-2020-12245 https://bugzilla.suse.com/1170557 SUSE Bug 1170557 The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. CVE-2020-13379 SUSE Package Hub 15 SP1:grafana-7.1.5-bp151.2.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OKBMAHAY4QQ74KBHCRT4WZCTDLSNZWWW/ https://www.suse.com/security/cve/CVE-2020-13379.html CVE-2020-13379 https://bugzilla.suse.com/1172409 SUSE Bug 1172409