Описание
Security update for SUSE Manager Client Tools
This update fixes the following issues:
grafana:
- Update to version 9.5.5:
- CVE-2023-3128: Fix authentication bypass using Azure AD OAuth (bsc#1212641, jsc#PED-3694)
- Bug fixes:
- Auth: Show invite button if disable login form is set to false.
- Azure: Fix Kusto auto-completion for Azure datasources.
- RBAC: Remove legacy AC editor and admin role on new dashboard route.
- API: Revert allowing editors to access GET /datasources.
- Settings: Add ability to override skip_org_role_sync with Env variables.
- Update to version 9.5.3:
- CVE-2023-2801: Query: Prevent crash while executing concurrent mixed queries (bsc#1212099)
- CVE-2023-2183: Alerting: Require alert.notifications:write permissions to test receivers and templates (bsc#1212100)
- Update to version 9.5.2:
Alerting: Scheduler use rule fingerprint instead of version.
Explore: Update table min height.
DataLinks: Encoded URL fixed.
TimeSeries: Fix leading null-fill for missing intervals.
Dashboard: Revert fixed header shown on mobile devices in the new panel header.
PostgreSQL: Fix TLS certificate issue by downgrading lib/pq.
Provisioning: Fix provisioning issues with legacy alerting and data source permissions.
Alerting: Fix misleading status code in provisioning API.
Loki: Fix log samples using
instantqueries. Panel Header: Implement new Panel Header on Angular Panels. Azure Monitor: Fix bug that was not showing resources for certain locations. Alerting: Fix panic when reparenting receivers to groups following an attempted rename via Provisioning. Cloudwatch Logs: Clarify Cloudwatch Logs Limits. - Update to 9.5.1 Loki Variable Query Editor: Fix bug when the query is updated Expressions: Fix expression load with legacy UID -100
Список пакетов
Container ses/7.1/ceph/grafana:latest
SUSE Linux Enterprise Module for Package Hub 15 SP4
SUSE Linux Enterprise Module for Package Hub 15 SP5
openSUSE Leap 15.4
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2023:2917-1
- E-Mail link for SUSE-SU-2023:2917-1
- SUSE Security Ratings
- SUSE Bug 1212099
- SUSE Bug 1212100
- SUSE Bug 1212641
- SUSE CVE CVE-2023-2183 page
- SUSE CVE CVE-2023-2801 page
- SUSE CVE CVE-2023-3128 page
Описание
Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2023-2183
- SUSE Bug 1212100
Описание
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2023-2801
- SUSE Bug 1212099
Описание
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Затронутые продукты
Ссылки
- CVE-2023-3128
- SUSE Bug 1212641