<div class="container">
<h1>Security update for grafana</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:0545-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-02-14T07:24:23Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1212641">bsc#1212641</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219912">bsc#1219912</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1231024">bsc#1231024</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1234554">bsc#1234554</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236301">bsc#1236301</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/MSQA-914">jsc#MSQA-914</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-11591">jsc#PED-11591</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-11649">jsc#PED-11649</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-3128.html">CVE-2023-3128</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-6152.html">CVE-2023-6152</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-45337.html">CVE-2024-45337</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-6837.html">CVE-2024-6837</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-8118.html">CVE-2024-8118</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3128</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3128</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-3128</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-6152</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-6152</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-6152</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-45337</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-45337</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-6837</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-6837</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-8118</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-8118</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP6</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves five vulnerabilities and contains three features can now be installed.</p>
<h2>Description:</h2>
<p>This update for grafana fixes the following issues:</p>
<p>grafana was updated from version 9.5.18 to 10.4.13 (jsc#PED-11591,jsc#PED-11649):</p>
<ul>
<li>Security issues fixed:</li>
<li>CVE-2024-45337: Prevent possible misuse of ServerConfig.PublicKeyCallback by upgrading
golang.org/x/crypto (bsc#1234554)</li>
<li>CVE-2023-3128: Fixed authentication bypass using Azure AD OAuth (bsc#1212641)</li>
<li>CVE-2023-6152: Add email verification when updating user email (bsc#1219912)</li>
<li>CVE-2024-6837: Fixed potential data source permission escalation (bsc#1236301)</li>
<li>
<p>CVE-2024-8118: Fixed permission on external alerting rule write endpoint (bsc#1231024)</p>
</li>
<li>
<p>Potential breaking changes in version 10:</p>
</li>
<li>In panels using the <code>extract fields</code> transformation, where one
of the extracted names collides with one of the already
existing ields, the extracted field will be renamed.</li>
<li>For the existing backend mode users who have table
visualization might see some inconsistencies on their panels.
We have updated the table column naming. This will
potentially affect field transformations and/or field
overrides. To resolve this either: update transformation or
field override.</li>
<li>For the existing backend mode users who have Transformations
with the <code>time</code> field, might see their transformations are
not working. Those panels that have broken transformations
will fail to render. This is because we changed the field
key. To resolve this either: Remove the affected panel and
re-create it; Select the <code>Time</code> field again; Edit the <code>time</code>
field as <code>Time</code> for transformation in <code>panel.json</code> or
<code>dashboard.json</code> </li>
<li>The following data source permission endpoints have been removed:
<code>GET /datasources/:datasourceId/permissions</code>
<code>POST /api/datasources/:datasourceId/permissions</code>
<code>DELETE /datasources/:datasourceId/permissions</code>
<code>POST /datasources/:datasourceId/enable-permissions</code>
<code>POST /datasources/:datasourceId/disable-permissions</code><ul>
<li>Please use the following endpoints instead:
<code>GET /api/access-control/datasources/:uid</code> for listing data
source permissions
<code>POST /api/access-control/datasources/:uid/users/:id</code>,
<code>POST /api/access-control/datasources/:uid/teams/:id</code> and
<code>POST /api/access-control/datasources/:uid/buildInRoles/:id</code>
for adding or removing data source permissions</li>
</ul>
</li>
<li>If you are using Terraform Grafana provider to manage data source permissions, you will need to upgrade your
provider.</li>
<li>For the existing backend mode users who have table visualization might see some inconsistencies on their panels.
We have updated the table column naming. This will potentially affect field transformations and/or field overrides.</li>
<li>The deprecated <code>/playlists/{uid}/dashboards</code> API endpoint has been removed.
Dashboard information can be retrieved from the <code>/dashboard/...</code> APIs.</li>
<li>The <code>PUT /api/folders/:uid</code> endpoint no more supports modifying the folder's <code>UID</code></li>
<li>Removed all components for the old panel header design.</li>
<li>Please review https://grafana.com/docs/grafana/next/breaking-changes/breaking-changes-v10-3/
for more details</li>
<li>OAuth role mapping enforcement: This change impacts GitHub,
Gitlab, Okta, and Generic OAuth. To avoid overriding manually
set roles, enable the skip_org_role_sync option in the
Grafana configuration for your OAuth provider before
upgrading</li>
<li>Angular has been deprecated</li>
<li>Grafana legacy alerting has been deprecated</li>
<li>API keys are migrating to service accounts</li>
<li>The experimental “dashboard previews” feature is removed</li>
<li>Usernames are now case-insensitive by default</li>
<li>Grafana OAuth integrations do not work anymore with email lookups</li>
<li>The “Alias” field in the CloudWatch data source is removed</li>
<li>Athena data source plugin must be updated to version >=2.9.3</li>
<li>Redshift data source plugin must be updated to version >=1.8.3</li>
<li>DoiT International BigQuery plugin no longer supported</li>
<li>
<p>Please review https://grafana.com/docs/grafana/next/breaking-changes/breaking-changes-v10-0
for more details</p>
</li>
<li>
<p>This update brings many new features, enhancements and fixes highlighted at:</p>
</li>
<li>https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-4/</li>
<li>https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-3/</li>
<li>https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-2/</li>
<li>https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-1/</li>
<li>https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-0/</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2025-545=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-545=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>grafana-10.4.13-150200.3.59.1</li>
<li>grafana-debuginfo-10.4.13-150200.3.59.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
<ul>
<li>grafana-10.4.13-150200.3.59.1</li>
<li>grafana-debuginfo-10.4.13-150200.3.59.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-3128.html">https://www.suse.com/security/cve/CVE-2023-3128.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-6152.html">https://www.suse.com/security/cve/CVE-2023-6152.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-45337.html">https://www.suse.com/security/cve/CVE-2024-45337.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-6837.html">https://www.suse.com/security/cve/CVE-2024-6837.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-8118.html">https://www.suse.com/security/cve/CVE-2024-8118.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1212641">https://bugzilla.suse.com/show_bug.cgi?id=1212641</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219912">https://bugzilla.suse.com/show_bug.cgi?id=1219912</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1231024">https://bugzilla.suse.com/show_bug.cgi?id=1231024</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1234554">https://bugzilla.suse.com/show_bug.cgi?id=1234554</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1236301">https://bugzilla.suse.com/show_bug.cgi?id=1236301</a>
</li>
<li>
<a href="https://jira.suse.com/browse/MSQA-914">https://jira.suse.com/browse/MSQA-914</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-11591">https://jira.suse.com/browse/PED-11591</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-11649">https://jira.suse.com/browse/PED-11649</a>
</li>
</ul>
</div>