SUSE: 2023:3071-1 ses/7.1/ceph/grafana Security Update
Summary
Advisory ID: SUSE-RU-2023:2497-1 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-SU-2023:2575-1 Released: Wed Jun 21 13:41:49 2023 Summary: Security update for SUSE Manager Client Tools Type: security Severity: important Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2742-1 Released: Fri Jun 30 11:40:56 2023 Summary: Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2855-1 Released: Mon Jul 17 16:35:21 2023 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2882-1 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Type: security Severity: important Advisory ID: SUSE-RU-2023:2885-1 Released: Wed Jul 19 16:58:43 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2917-1 Released: Thu Jul 20 11:49:45 2023 Summary: Security update for SUSE Manager Client Tools Type: security Severity: critical Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3179-1 Released: Thu Aug 3 13:59:38 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:3284-1 Released: Fri Aug 11 10:29:50 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3291-1 Released: Fri Aug 11 12:51:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3365-1 Released: Fri Aug 18 20:35:01 2023 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low Advisory ID: SUSE-RU-2023:3515-1 Released: Fri Sep 1 15:54:25 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3639-1 Released: Mon Sep 18 13:33:16 2023 Summary: Security update for libeconf Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important
References
References : 1089497 1158763 1192154 1192696 1198165 1200480 1201535 1201539
1201627 1202234 1203185 1203596 1203597 1204501 1206627 1207534
1208721 1209229 1209565 1209645 1210740 1210907 1210999 1211078
1211261 1211419 1211661 1211828 1212099 1212100 1212187 1212187
1212222 1212260 1212641 1213189 1213231 1213487 1213517 1213557
1213673 1213853 1214052 1214054 1214290 1214768 CVE-2020-7753
CVE-2021-3807 CVE-2021-3918 CVE-2021-43138 CVE-2022-0155 CVE-2022-27664
CVE-2022-31097 CVE-2022-31107 CVE-2022-32149 CVE-2022-35957 CVE-2022-36062
CVE-2022-4304 CVE-2023-1387 CVE-2023-1410 CVE-2023-2183 CVE-2023-22652
CVE-2023-2603 CVE-2023-2801 CVE-2023-30078 CVE-2023-30079 CVE-2023-3128
CVE-2023-31484 CVE-2023-32181 CVE-2023-3446 CVE-2023-36054 CVE-2023-3817
CVE-2023-39615 CVE-2023-4016 CVE-2023-4039
1211661,1212187
This update for libzypp fixes the following issues:
- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]
1192154,1192696,1200480,1201535,1201539,1203185,1203596,1203597,1204501,1209645,1210907,CVE-2020-7753,CVE-2021-3807,CVE-2021-3918,CVE-2021-43138,CVE-2022-0155,CVE-2022-27664,CVE-2022-31097,CVE-2022-31107,CVE-2022-32149,CVE-2022-35957,CVE-2022-36062,CVE-2023-1387,CVE-2023-1410
This update fixes the following issues:
grafana:
- Version update from 8.5.22 to 9.5.1 (jsc#PED-3694):
* Security fixes:
- CVE-2023-1410: grafana: Stored XSS in Graphite FunctionDescription tooltip (bsc#1209645)
- CVE-2023-1387: grafana: JWT URL-login flow leaks token to data sources through request parameter in proxy requests
(bnc#1210907)
- CVE-2022-36062: grafana: Fix RBAC folders/dashboards privilege escalation (bsc#1203596)
- CVE-2022-35957: grafana: Escalation from admin to server admin when auth proxy is used (bsc#1203597)
- CVE-2022-32149: Upgrade x/text to version unaffected by CVE-2022-32149 (bsc#1204501)
- CVE-2022-31107: grafana: OAuth account takeover (bsc#1201539)
- CVE-2022-31097: grafana: stored XSS vulnerability (bsc#1201535)
- CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY (bsc#1203185)
- CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
- CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method(bsc#1200480)
- CVE-2021-3918: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes
('Prototype Pollution') (bsc#1192696)
- CVE-2021-3807: node-ansi-regex: Inefficient Regular Expression Complexity in chalk/ansi-regex (bsc#1192154)
- CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function
* Important changes:
- Default named retention policies won't be used to query.
Users who have a default named retention policy in their influxdb database, have to rename it to something else.
To change the hardcoded retention policy in the dashboard.json, users must then select the right retention policy
from dropdown and save the panel/dashboard.
- Grafana Alerting rules with NoDataState configuration set to Alerting will now respect 'For' duration.
- Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role
manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes
to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it
will default to false.
- The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version
as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all
InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior.
In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4
and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:
Remove the affected panel and re-create it or edit the `time` field as `Time` in `panel.json`
or `dashboard.json`
- The `@grafana/ui` package helper function `selectOptionInTest` used in frontend tests has been removed as it
caused testing libraries to be bundled in the production code of Grafana. If you were using this helper function
in your tests please update your code accordingly.
- Removed deprecated `checkHealth` prop from the `@grafana/e2e` `addDataSource` configuration. Previously this
value defaulted to `false`, and has not been used in end-to-end tests since Grafana 8.0.3.
- Removed the deprecated `LegacyBaseMap`, `LegacyValueMapping`, `LegacyValueMap`, and `LegacyRangeMap` types, and
`getMappedValue` function from grafana-data. See the documentation for the migration.
This change fixes a bug in Grafana where intermittent failure of database, network between Grafana and the
database, or error in querying the database would cause all alert rules to be unscheduled in Grafana.
Following this change scheduled alert rules are not updated unless the query is successful.
- The `get_alert_rules_duration_seconds` metric has been renamed to `schedule_query_alert_rules_duration_seconds`
- Any secret (data sources credential, alert manager credential, etc, etc) created or modified with Grafana v9.0
won't be decryptable from any previous version (by default) because the way encrypted secrets are stored into the
database has changed. Although secrets created or modified with previous versions will still be decryptable by
Grafana v9.0.
- If required, although generally discouraged, the `disableEnvelopeEncryption` feature toggle can be enabled to
keep envelope encryption disabled once updating to Grafana
- In case of need to rollback to an earlier version of Grafana (i.e. Grafana v8.x) for any reason, after being
created or modified any secret with Grafana v9.0, the `envelopeEncryption` feature toggle will need to be enabled
to keep backwards compatibility (only from `v8.3.x` a bit unstable, from `8.5.x` stable).
- As a final attempt to deal with issues related with the aforementioned situations, the
`grafana-cli admin secrets-migration rollback` command has been designed to move back all the Grafana secrets
encrypted with envelope encryption to legacy encryption. So, after running that command it should be safe to
disable envelope encryption and/or roll back to a previous version of Grafana.
Alternatively or complementarily to all the points above, backing up the Grafana database before updating could
be a good idea to prevent disasters (although the risk of getting some secrets corrupted only applies to those
updates/created with after updating to Grafana v9.0).
- In Elasticsearch, browser access mode was deprecated in grafana 7.4.0 and removed in 9.0.0. If you used this mode
please switch to server access mode on the datasource configuration page.
- Environment variables passed from Grafana to external Azure plugins have been renamed:
`AZURE_CLOUD` renamed to `GFAZPL_AZURE_CLOUD`,
`AZURE_MANAGED_IDENTITY_ENABLED` renamed to `GFAZPL_MANAGED_IDENTITY_ENABLED`,
`AZURE_MANAGED_IDENTITY_CLIENT_ID` renamed to `GFAZPL_MANAGED_IDENTITY_CLIENT_ID`.
There are no known plugins which were relying on these variables. Moving forward plugins should read Azure
settings only via Grafana Azure SDK which properly handles old and new environment variables.
- Removes support for for ElasticSearch versions after their end-of-life, currently versions < 7.10.0.
To continue to use ElasticSearch data source, upgrade ElasticSearch to version 7.10.0+.
- Application Insights and Insight Analytics queries in Azure Monitor were deprecated in Grafana 8.0 and finally
removed in 9.0. Deprecated queries will no longer be executed.
- grafana/ui: Button now specifies a default type='button'.
The `Button` component provided by @grafana/ui now specifies a default `type='button'` when no type is provided.
In previous versions, if the attribute was not specified for buttons associated with a `