ELSA-2024-9115 - grafana security update
| Type: | SECURITY |
| Impact: | MODERATE |
| Release Date: | 2024-11-14 |
Description
[10.2.6-4]
- Resolves RHEL-44874
[10.2.6-3]
- Resolves RHEL-35937
[10.2.6-2]
- Fixes patch 1002 for update to golang-fips
- Remove unused code under apsl-1.1 and apsl-1.2 licenses
- Resolves RHEL-33655
[10.2.6-1]
- Rebase to grafana 10.2.6
[9.2.10-15]
- Resolves RHEL-23468
- Allows for gid to be 0
- Allows for postgreSQL datasource in selinux policy
[9.2.10-14]
- Fixes postgresql AVC denial
- Related RHEL-7505
[9.2.10-13]
- Resolves RHEL-19296
- Fixes coredump issue introduced by selinux
- Patches out call to panic when trying to walk '/' directory
[9.2.10-12]
- Resolves RHEL-7505
- Fixes additional selinux denials found when testing on certain architectures
[9.2.10-11]
- Resolves RHEL-7505
- Fixes selinux denials found when testing on certain architectures
[9.2.10-10]
- Resolves RHEL-7505
- Adds a selinux policy for grafana
- Resolves RHEL-12666
- fix CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
[9.2.10-5]
- resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
[9.2.10-3]
- bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests, License AGPL-3.0-only.
[9.2.10-2]
- Update to 9.2.10
[9.2.10-1]
- Update to 9.2.10
[9.0.9-2]
- resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
- resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
[9.0.9-1]
- update to 9.0.9 tagged upstream community sources, see CHANGELOG
- resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2125530)
[9.0.8-2]
- bump NVR
[9.0.8-1]
- update to 9.0.8 tagged upstream community sources, see CHANGELOG
- do not list /usr/share/grafana/conf twice
- drop makefile in favor of create_bundles.sh script
- sync provides/obsoletes with CentOS versions
- drop husky patch
[7.5.15-3]
- resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
- resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
- resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
- resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
- resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
- resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
- resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
- resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
- resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
[7.5.15-2]
- resolve CVE-2022-31107 grafana: OAuth account takeover
Related CVEs
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
|
| Oracle Linux 9 (aarch64) | grafana-10.2.6-4.el9.src.rpm | 9b8ac5beccf097e4c828058430e4743268f30ab897a43603f49e4cf0edeffaf0 | - | ol9_aarch64_appstream |
| grafana-10.2.6-4.el9.aarch64.rpm | e9b4eba1b7f6b03c594f88e4acd37b3af23b31a36ce978fefe3a197b9a64eef2 | - | ol9_aarch64_appstream |
| grafana-selinux-10.2.6-4.el9.aarch64.rpm | bf97d1a5ad855aeefca0bc689996466d86c92931a3a6ba1896b1d6bdb4228ac4 | - | ol9_aarch64_appstream |
|
| Oracle Linux 9 (x86_64) | grafana-10.2.6-4.el9.src.rpm | 9b8ac5beccf097e4c828058430e4743268f30ab897a43603f49e4cf0edeffaf0 | - | ol9_x86_64_appstream |
| grafana-10.2.6-4.el9.x86_64.rpm | bd873cb36f749490e0a700e1ae3ac36e9b61e84de216f0bfdfc905fc9ec0a475 | - | ol9_x86_64_appstream |
| grafana-selinux-10.2.6-4.el9.x86_64.rpm | afac6f3ca973563d7c1a02b7efb8d3917863d81b4828daff38e05f7ff3614d9d | - | ol9_x86_64_appstream |
This page is generated automatically and has not been checked for errors or omissions. For clarification
or corrections please contact the Oracle Linux ULN team
