--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-83405f9d5b
2022-04-20 19:15:28.797685
--------------------------------------------------------------------------------

Name        : grafana
Product     : Fedora 34
Version     : 7.5.15
Release     : 2.fc34
URL         : https://grafana.org
Summary     : Metrics dashboard and graph editor
Description :
Grafana is an open source, feature rich metrics dashboard and graph editor for
Graphite, InfluxDB & OpenTSDB.

--------------------------------------------------------------------------------
Update Information:

- update to 7.5.15 tagged upstream community sources, see CHANGELOG - resolve
CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access
some data sources - resolve CVE-2022-21702 grafana: XSS vulnerability in data
source handling - resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to
privilege escalation - resolve CVE-2022-21713 grafana: IDOR vulnerability can
lead to information disclosure - resolve CVE-2021-23648 sanitize-url: XSS -
resolve CVE-2022-21698 prometheus/client_golang: Denial of service using
InstrumentHandlerCounter - declare Node.js dependencies of subpackages - make
vendor and webpack tarballs reproducible
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr 11 2022 Andreas Gerstmayr  7.5.15-2
- use clamp-mtime when generating the vendor and webpack tarballs,
  to preserve past timestamps but still keep reproducibility
- round tarball mtime timestamp to midnight, to match SOURCE_DATE_EPOCH
* Fri Apr  8 2022 Andreas Gerstmayr  7.5.15-1
- update to 7.5.15 tagged upstream community sources, see CHANGELOG
- resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
- resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
- resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
- resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
- resolve CVE-2021-23648 sanitize-url: XSS
- resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
- declare Node.js dependencies of subpackages
- make vendor and webpack tarballs reproducible
* Fri Jan 28 2022 Andreas Gerstmayr  7.5.13-1
- update to 7.5.13 tagged upstream community sources, see CHANGELOG
- support Go 1.18
* Thu Jan 20 2022 Fedora Release Engineering  - 7.5.11-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2046615 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2046615
  [ 2 ] Bug #2053453 - CVE-2022-21702 grafana: XSS vulnerability in data source handling [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2053453
  [ 3 ] Bug #2053454 - CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2053454
  [ 4 ] Bug #2053455 - CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2053455
  [ 5 ] Bug #2066482 - CVE-2021-23648 grafana: sanitize-url: XSS [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2066482
  [ 6 ] Bug #2067414 - CVE-2022-21698 grafana: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2067414
  [ 7 ] Bug #2067452 - CVE-2022-21698 grafana: prometheus/client_golang: Denial of service using InstrumentHandlerCounter [fedora-34]
        https://bugzilla.redhat.com/show_bug.cgi?id=2067452
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-83405f9d5b' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure