ELSA-2024-9115

Описание

[10.2.6-4]

• Resolves RHEL-44874

[10.2.6-3]

• Resolves RHEL-35937

[10.2.6-2]

• Fixes patch 1002 for update to golang-fips
• Remove unused code under apsl-1.1 and apsl-1.2 licenses
• Resolves RHEL-33655

[10.2.6-1]

• Rebase to grafana 10.2.6

[9.2.10-15]

• Resolves RHEL-23468
• Allows for gid to be 0
• Allows for postgreSQL datasource in selinux policy

[9.2.10-14]

• Fixes postgresql AVC denial
• Related RHEL-7505

[9.2.10-13]

• Resolves RHEL-19296
• Fixes coredump issue introduced by selinux
• Patches out call to panic when trying to walk '/' directory

[9.2.10-12]

• Resolves RHEL-7505
• Fixes additional selinux denials found when testing on certain architectures

[9.2.10-11]

• Resolves RHEL-7505
• Fixes selinux denials found when testing on certain architectures

[9.2.10-10]

• Resolves RHEL-7505
• Adds a selinux policy for grafana
• Resolves RHEL-12666
• fix CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work

[9.2.10-5]

• resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth

[9.2.10-3]

• bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests, License AGPL-3.0-only.

[9.2.10-2]

• Update to 9.2.10

[9.2.10-1]

• Update to 9.2.10

[9.0.9-2]

• resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
• resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws

[9.0.9-1]

• update to 9.0.9 tagged upstream community sources, see CHANGELOG
• resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2125530)

[9.0.8-2]

• bump NVR

[9.0.8-1]

• update to 9.0.8 tagged upstream community sources, see CHANGELOG
• do not list /usr/share/grafana/conf twice
• drop makefile in favor of create_bundles.sh script
• sync provides/obsoletes with CentOS versions
• drop husky patch

[7.5.15-3]

• resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

[7.5.15-2]

• resolve CVE-2022-31107 grafana: OAuth account takeover