ELSA-2022-8057
- ULN >
- Oracle Linux Errata repository >
- ELSA-2022-8057
ELSA-2022-8057 - grafana security, bug fix, and enhancement update
| Type: | SECURITY |
| Impact: | IMPORTANT |
| Release Date: | 2022-11-22 |
Description
[7.5.15-3]
- resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
- resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
- resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
- resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
- resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
- resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
- resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
- resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
- resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
[7.5.15-2]
- resolve CVE-2022-31107 grafana: OAuth account takeover
[7.5.15-1]
- update to 7.5.15 tagged upstream community sources, see CHANGELOG
- resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
- resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
- resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
- resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
- resolve CVE-2021-23648 sanitize-url: XSS
- resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
- declare Node.js dependencies of subpackages
- make vendor and webpack tarballs reproducible
[7.5.11-3]
- use HMAC-SHA-256 instead of SHA-1 to generate password reset tokens
- update FIPS tests in check phase
[7.5.11-2]
- resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
[7.5.11-1]
- update to 7.5.11 tagged upstream community sources, see CHANGELOG
- resolve CVE-2021-39226
Related CVEs
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 9 (aarch64) | grafana-7.5.15-3.el9.src.rpm | 052e27a43c1af8ee2d6942c2e896482c103c260940cab5daf2b3622e5c434b1b | - | ol9_aarch64_appstream |
| grafana-7.5.15-3.el9.aarch64.rpm | 70fc532f8ceda1cacbd2f96e7359ff9b7f41a036eec56f1585f86b4fbb1ebbd7 | - | ol9_aarch64_appstream | |
| Oracle Linux 9 (x86_64) | grafana-7.5.15-3.el9.src.rpm | 052e27a43c1af8ee2d6942c2e896482c103c260940cab5daf2b3622e5c434b1b | - | ol9_x86_64_appstream |
| grafana-7.5.15-3.el9.x86_64.rpm | 499056a1428d9e3cf194ba3d5d962b3351b026faa4002fa8a604cab7ec7413c2 | - | ol9_x86_64_appstream | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
