openSUSE Security Update: Security update for grafana
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1611-1
Rating: moderate
References: #1044444 #1044933 #1115960 #1170557
Cross-References: CVE-2018-19039 CVE-2019-15043 CVE-2020-12245
CVE-2020-13379
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for grafana fixes the following issues:

grafana was updated to version 7.1.5:

* Features / Enhancements

– Stats: Stop counting the same user multiple times.
– Field overrides: Filter by field name using regex.
– AzureMonitor: map more units.
– Explore: Don’t run queries on datasource change.
– Graph: Support setting field unit & override data source (automatic)
unit.
– Explore: Unification of logs/metrics/traces user interface
– Table: JSON Cell should try to convert strings to JSON
– Variables: enables cancel for slow query variables queries.
– TimeZone: unify the time zone pickers to one that can rule them all.
– Search: support URL query params.
– Grafana-UI: Add FileUpload.
– TablePanel: Sort numbers correctly.

* Bug fixes

– Alerting: remove LongToWide call in alerting.
– AzureMonitor: fix panic introduced in 7.1.4 when unit was
unspecified and alias was used.
– Variables: Fixes issue with All variable not being resolved.
– Templating: Fixes so texts show in picker not the values.
– Templating: Templating: Fix undefined result when using raw
interpolation format
– TextPanel: Fix content overflowing panel boundaries.
– StatPanel: Fix stat panel display name not showing when explicitly
set.
– Query history: Fix search filtering if null value.
– Flux: Ensure connections to InfluxDB are closed.
– Dashboard: Fix for viewer can enter panel edit mode by modifying url
(but cannot not save anything).
– Prometheus: Fix prom links in mixed mode.
– Sign In Use correct url for the Sign In button.
– StatPanel: Fixes issue with name showing for single series / field
results
– BarGauge: Fix space bug in single series mode.
– Auth: Fix POST request failures with anonymous access
– Templating: Fix recursive loop of template variable queries when
changing ad-hoc-variable
– Templating: Fixed recursive queries triggered when switching
dashboard settings view
– GraphPanel: Fix annotations overflowing panels.
– Prometheus: Fix performance issue in processing of histogram labels.
– Datasources: Handle URL parsing error.
– Security: Use Header.Set and Header.Del for X-Grafana-User header.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2020-1611=1

Package List:

– openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

grafana-7.1.5-bp151.2.1

References:

https://www.suse.com/security/cve/CVE-2018-19039.html
https://www.suse.com/security/cve/CVE-2019-15043.html
https://www.suse.com/security/cve/CVE-2020-12245.html
https://www.suse.com/security/cve/CVE-2020-13379.html
https://bugzilla.suse.com/1044444
https://bugzilla.suse.com/1044933
https://bugzilla.suse.com/1115960
https://bugzilla.suse.com/1170557

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org