SUSE-SU-2022:4428-1: important: Security update for grafana

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Dec 13 11:26:56 UTC 2022


   SUSE Security Update: Security update for grafana
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:4428-1
Rating:             important
References:         #1188571 #1189520 #1192383 #1192763 #1193492 
                    #1193686 #1199810 #1201535 #1201539 #1203596 
                    #1203597 PED-2145 
Cross-References:   CVE-2021-36222 CVE-2021-3711 CVE-2021-41174
                    CVE-2021-41244 CVE-2021-43798 CVE-2021-43813
                    CVE-2021-43815 CVE-2022-29170 CVE-2022-31097
                    CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
                   
CVSS scores:
                    CVE-2021-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-3711 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-3711 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41174 (NVD) : 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
                    CVE-2021-41174 (SUSE): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
                    CVE-2021-41244 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41244 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
                    CVE-2021-43798 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-43798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43815 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43815 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-29170 (NVD) : 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
                    CVE-2022-29170 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
                    CVE-2022-31097 (NVD) : 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
                    CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
                    CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
                    CVE-2022-35957 (NVD) : 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-35957 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-36062 (NVD) : 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
                    CVE-2022-36062 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Affected Products:
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes 12 vulnerabilities, contains one
   feature is now available.

Description:

   This update for grafana fixes the following issues:

   Version update from 8.3.10 to 8.5.13 (jsc#PED-2145):

   - Security fixes:
     * CVE-2022-36062: (bsc#1203596)
     * CVE-2022-35957: (bsc#1203597)
     * CVE-2022-31107: (bsc#1201539)
     * CVE-2022-31097: (bsc#1201535)
     * CVE-2022-29170: (bsc#1199810)
     * CVE-2021-43813, CVE-2021-43815: (bsc#1193686)
     * CVE-2021-43798: (bsc#1193492)
     * CVE-2021-41244: (bsc#1192763)
     * CVE-2021-41174: (bsc#1192383)
     * CVE-2021-3711: (bsc#1189520)
     * CVE-2021-36222: (bsc#1188571)

   - Features and enhancements:
     * AccessControl: Disable user remove and user update roles when they do
       not have the permissions
     * AccessControl: Provisioning for teams
     * Alerting: Add custom grouping to Alert Panel
     * Alerting: Add safeguard for migrations that might cause dataloss
     * Alerting: AlertingProxy to elevate permissions for request forwarded
       to data proxy when RBAC enabled
     * Alerting: Grafana uses > instead of >= when checking the For duration
     * Alerting: Move slow queries in the scheduler to another goroutine
     * Alerting: Remove disabled flag for data source when migrating alerts
     * Alerting: Show notification tab of legacy alerting only to editor
     * Alerting: Update migration to migrate only alerts that belon to
       existing org\dashboard
     * Alerting: Use expanded labels in dashboard annotations
     * Alerting: Use time.Ticker instead of alerting.Ticker in ngalert
     * Analytics: Add user id tracking to google analytics
     * Angular: Add AngularJS plugin support deprecation plan to docs site
     * API: Add usage stats preview endpoint
     * API: Extract OpenAPI specification from source code using go-swagger
     * Auth: implement auto_sign_up for auth.jwt
     * Azure monitor Logs: Optimize data fetching in resource picker
     * Azure Monitor Logs: Order subscriptions in resource picker by name
     * Azure Monitor: Include datasource ref when interpolating variables.
     * AzureMonitor: Add support for not equals and startsWith operators when
       creating Azure Metrics dimension filters.
     * AzureMonitor: Do not quote variables when a custom "All" variable
       option is used
     * AzureMonitor: Filter list of resources by resourceType
     * AzureMonitor: Update allowed namespaces
     * BarChart: color by field, x time field, bar radius, label skipping
     * Chore: Implement OpenTelemetry in Grafana
     * Cloud Monitoring: Adds metric type to Metric drop down options
     * CloudMonitor: Correctly encode default project response
     * CloudWatch: Add all ElastiCache Redis Metrics
     * CloudWatch: Add Data Lifecycle Manager metrics and dimension
     * CloudWatch: Add Missing Elasticache Host-level metrics
     * CloudWatch: Add multi-value template variable support for log group
       names in logs query builder
     * CloudWatch: Add new AWS/ES metrics. #43034, @sunker
     * Cloudwatch: Add support for AWS/PrivateLink* metrics and dimensions
     * Cloudwatch: Add support for new AWS/RDS EBS* metrics
     * Cloudwatch: Add syntax highlighting and autocomplete for "Metric
       Search"
     * Cloudwatch: Add template variable query function for listing log groups
     * Configuration: Add ability to customize okta login button name and icon
     * Elasticsearch: Add deprecation notice for < 7.10 versions.
     * Explore: Support custom display label for exemplar links for
       Prometheus datasource
     * Hotkeys: Make time range absolute/permanent
     * InfluxDB: Use backend for influxDB by default via feature toggle
     * Legend: Use correct unit for percent and count calculations
     * Logs: Escape windows newline into single newline
     * Loki: Add unpack to autocomplete suggestions
     * Loki: Use millisecond steps in Grafana 8.5.x.
     * Playlists: Enable sharing direct links to playlists
     * Plugins: Allow using both Function and Class components for app plugins
     * Plugins: Expose emotion/react to plugins to prevent load failures
     * Plugins: Introduce HTTP 207 Multi Status response to api/ds/query
     * Rendering: Add support for renderer token
     * Setting: Support configuring feature toggles with bools instead of
       just passing an array
     * SQLStore: Prevent concurrent migrations
     * SSE: Add Mode to drop NaN/Inf/Null in Reduction operations
     * Tempo: Switch out Select with AsyncSelect component to get loading
       state in Tempo Search
     * TimeSeries: Add migration for Graph panel's transform series override
     * TimeSeries: Add support for negative Y and constant transform
     * TimeSeries: Preserve null/undefined values when performing negative y
       transform
     * Traces: Filter by service/span name and operation in Tempo and Jaeger
     * Transformations: Add 'JSON' field type to ConvertFieldTypeTransformer
     * Transformations: Add an All Unique Values Reducer
     * Transformers: avoid error when the ExtractFields source field is
       missing

   - Breaking changes:
     * For a data source query made via /api/ds/query:
       + If the DatasourceQueryMultiStatus feature is enabled and the data
         source response has an error set as part of the DataResponse, the
         resulting HTTP status code is now '207 Multi Status' instead of '400
         Bad gateway'
       + If the DatasourceQueryMultiStatus feature is not enabled and the
         data source response has an error set as part of the DataResponse,
         the resulting HTTP status code is '400 BadRequest' (no breaking
         change)
     * For a proxied request, e.g. Grafana's datasource or plugin proxy:
       + If the request is cancelled, e.g. from the browser/by the client,
         the HTTP status code is now '499 Client closed' request instead of
         502 Bad gateway If the request times out, e.g. takes longer time
         than allowed, the HTTP status code is now '504 Gateway timeout'
         instead of '502 Bad gateway'.
       + The change in behavior is that negative-valued series are now
         stacked downwards from 0 (in their own stacks), rather than
         downwards from the top of the positive stacks. We now automatically
         group stacks by Draw style, Line interpolation, and Bar alignment,
         making it impossible to stack bars on top of lines, or smooth lines
         on top of stepped lines
       + The meaning of the default data source has now changed from being a
         persisted property in a panel. Before when you selected the default
         data source for a panel and later changed the default data source to
         another data source it would change all panels who were configured
         to use the default data source. From  now on the default data source
         is just the default for new panels and changing the default will not
         impact any currently saved dashboards
       + The Tooltip component provided by @grafana/ui is no longer
         automatically interactive (that is you can hover onto it and click a
         link or select text). It will from now on by default close
         automatically when you mouse out from the trigger element. To make
         tooltips behave like before set the new interactive property to true.

   - Deprecations:
     * /api/tsdb/query API has been deprecated, please use /api/ds/query
       instead
     * AngularJS plugin support is now in a deprecated state. The
       documentation site has an article with more details on why, when, and
       how

   - Bug fixes:
     * Alerting: Add contact points provisioning API
     * Alerting: add field for custom slack endpoint
     * Alerting: Add resolved count to notification title when both firing
       and resolved present
     * Alerting: Alert rule should wait For duration when execution error
       state is Alerting
     * Alerting: Allow disabling override timings for notification policies
     * Alerting: Allow serving images from custom url path
     * Alerting: Apply Custom Headers to datasource queries
     * Alerting: Classic conditions can now display multiple values
     * Alerting: correctly show all alerts in a folder
     * Alerting: Display query from grafana-managed alert rules on
       /api/v1/rules
     * Alerting: Do not overwrite existing alert rule condition
     * Alerting: Enhance support for arbitrary group names in managed alerts
     * Alerting: Fix access to alerts for viewer with editor permissions when
       RBAC is disabled
     * Alerting: Fix anonymous access to alerting
     * Alerting: Fix migrations by making send_alerts_to field nullable
     * Alerting: Fix RBAC actions for notification policies
     * Alerting: Fix use of > instead of >= when checking the For duration
     * Alerting: Remove double quotes from matchers
     * API: Include userId, orgId, uname in request logging middleware
     * Auth: Guarantee consistency of signed SigV4 headers
     * Azure Monitor : Adding json formatting of error messages in Panel
       Header Corner and Inspect Error Tab
     * Azure Monitor: Add 2 more Curated Dashboards for VM Insights
     * Azure Monitor: Bug Fix for incorrect variable cascading for template
       variables
     * Azure Monitor: Fix space character encoding for metrics query link to
       Azure Portal
     * Azure Monitor: Fixes broken log queries that use workspace
     * Azure Monitor: Small bug fixes for Resource Picker
     * AzureAd Oauth: Fix strictMode to reject users without an assigned role
     * AzureMonitor: Fixes metric definition for Azure Storage
       queue/file/blob/table resources
     * Cloudwatch : Fixed reseting metric name when changing namespace in
       Metric Query
     * CloudWatch: Added missing MemoryDB Namespace metrics
     * CloudWatch: Fix MetricName resetting on Namespace change.
     * Cloudwatch: Fix template variables in variable queries.
     * CloudWatch: Fix variable query tag migration
     * CloudWatch: Handle new error codes for MetricInsights
     * CloudWatch: List all metrics properly in SQL autocomplete
     * CloudWatch: Prevent log groups from being removed on query change
     * CloudWatch: Remove error message when using multi-valued template vars
       in region field
     * CloudWatch: Run query on blur in logs query field
     * CloudWatch: Use default http client from aws-sdk-go
     * Dashboard: Fix dashboard update permission check
     * Dashboard: Fixes random scrolling on time range change
     * Dashboard: Template variables are now correctly persisted when
       clicking breadcrumb links
     * DashboardExport: Fix exporting and importing dashboards where query
       data source ended up as incorrect
     * DashboardPage: Remember scroll position when coming back panel edit /
       view panel
     * Dashboards: Fixes repeating by row and no refresh
     * Dashboards: Show changes in save dialog
     * DataSource: Default data source is no longer a persisted state but
       just the default data source for new panels
     * DataSourcePlugin API: Allow queries import when changing data source
       type
     * Elasticsearch: Respect maxConcurrentShardRequests datasource setting
     * Explore: Allow users to save Explore state to a new panel in a new
       dashboard
     * Explore: Avoid locking timepicker when range is inverted.
     * Explore: Fix closing split pane when logs panel is used
     * Explore: Prevent direct access to explore if disabled via feature
       toggle
     * Explore: Remove return to panel button
     * FileUpload: clicking the Upload file button now opens their modal
       correctly
     * Gauge: Fixes blank viz when data link exists and orientation was
       horizontal
     * GrafanaUI: Fix color of links in error Tooltips in light theme
     * Histogram Panel: Take decimal into consideration
     * InfluxDB: Fixes invalid no data alerts. #48295, @yesoreyeram
     * Instrumentation: Fix HTTP request instrumentation of authentication
       failures
     * Instrumentation: Make backend plugin metrics endpoints available with
       optional authentication
     * Instrumentation: Proxy status code correction and various improvements
     * LibraryPanels: Fix library panels not connecting properly in imported
       dashboards
     * LibraryPanels: Prevent long descriptions and names from obscuring the
       delete button
     * Logger: Use specified format for file logger
     * Logging: Introduce feature toggle to activate gokit/log format
     * Logs: Handle missing fields in dataframes better
     * Loki: Improve unpack parser handling
     * ManageDashboards: Fix error when deleting all dashboards from folder
       view
     * Middleware: Fix IPv6 host parsing in CSRF check
     * Navigation: Prevent navbar briefly showing on login
     * NewsPanel: Add support for Atom feeds. #45390, @kaydelaney
     * OAuth: Fix parsing of ID token if header contains non-string value
     * Panel Edit: Options search now works correctly when a logarithmic
       scale option is set
     * Panel Edit: Visualization search now works correctly with special
       characters
     * Plugins Catalog: Fix styling of hyperlinks
     * Plugins: Add deprecation notice for /api/tsdb/query endpoint
     * Plugins: Adding support for traceID field to accept variables
     * Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios
     * Postgres: Return tables with hyphenated schemes
     * PostgreSQL: __unixEpochGroup to support arithmetic expression as
       argument
     * Profile/Help: Expose option to disable profile section and help menu
     * Prometheus: Enable new visual query builder by default
     * Provisioning: Fix duplicate validation when multiple organizations
       have been configured inserted
     * RBAC: Fix Anonymous Editors missing dashboard controls
     * RolePicker: Fix menu position on smaller screens
     * SAML: Allow disabling of SAML signups
     * Search: Sort results correctly when using postgres
     * Security: Fixes minor code scanning security warnings in old vendored
       javascript libs
     * Table panel: Fix horizontal scrolling when pagination is enabled
     * Table panel: Show datalinks for cell display modes JSON View and Gauge
       derivates
     * Table: Fix filter crashes table
     * Table: New pagination option
     * TablePanel: Add cell inspect option
     * TablePanel: Do not prefix columns with frame name if multipleframes
       and override active
     * TagsInput: Fix tags remove button accessibility issues
     * Tempo / Trace Viewer: Support Span Links in Trace Viewer
     * Tempo: Download span references in data inspector
     * Tempo: Separate trace to logs and loki search datasource config
     * TextPanel: Sanitize after markdown has been rendered to html
     * TimeRange: Fixes updating time range from url and browser history
     * TimeSeries: Fix detection & rendering of sparse datapoints
     * Timeseries: Fix outside range stale state
     * TimeSeries: Properly stack series with missing datapoints
     * TimeSeries: Sort tooltip values based on raw values
     * Tooltip: Fix links not legible in Tooltips when using light theme
     * Tooltip: Sort decimals using standard numeric compare
     * Trace View: Show number of child spans
     * Transformations: Support escaped characters in key-value pair parsing
     * Transforms: Labels to fields, fix label picker layout
     * Variables: Ensure variables in query params are correctly recognised
     * Variables: Fix crash when changing query variable datasource
     * Variables: Fixes issue with data source variables not updating queries
       with variable
     * Visualizations: Stack negative-valued series downwards

   - Plugin development fixes:
     * Card: Increase clickable area when meta items are present.
     * ClipboardButton: Use a fallback when the Clipboard API is unavailable
     * Loki: Fix operator description propup from being shortened.
     * OAuth: Add setting to skip org assignment for external users
     * Tooltips: Make tooltips non interactive by default
     * Tracing: Add option to map tag names to log label names in trace to
       logs settings


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-4428=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-4428=1

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4428=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      grafana-8.5.13-150200.3.29.5
      grafana-debuginfo-8.5.13-150200.3.29.5

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      grafana-8.5.13-150200.3.29.5
      grafana-debuginfo-8.5.13-150200.3.29.5

   - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x x86_64):

      grafana-8.5.13-150200.3.29.5


References:

   https://www.suse.com/security/cve/CVE-2021-36222.html
   https://www.suse.com/security/cve/CVE-2021-3711.html
   https://www.suse.com/security/cve/CVE-2021-41174.html
   https://www.suse.com/security/cve/CVE-2021-41244.html
   https://www.suse.com/security/cve/CVE-2021-43798.html
   https://www.suse.com/security/cve/CVE-2021-43813.html
   https://www.suse.com/security/cve/CVE-2021-43815.html
   https://www.suse.com/security/cve/CVE-2022-29170.html
   https://www.suse.com/security/cve/CVE-2022-31097.html
   https://www.suse.com/security/cve/CVE-2022-31107.html
   https://www.suse.com/security/cve/CVE-2022-35957.html
   https://www.suse.com/security/cve/CVE-2022-36062.html
   https://bugzilla.suse.com/1188571
   https://bugzilla.suse.com/1189520
   https://bugzilla.suse.com/1192383
   https://bugzilla.suse.com/1192763
   https://bugzilla.suse.com/1193492
   https://bugzilla.suse.com/1193686
   https://bugzilla.suse.com/1199810
   https://bugzilla.suse.com/1201535
   https://bugzilla.suse.com/1201539
   https://bugzilla.suse.com/1203596
   https://bugzilla.suse.com/1203597



More information about the sle-updates mailing list