A grafana security update has been released for SUSE Linux Enterprise 15 SP1.

security-announce: openSUSE-SU-2020:1611-1: moderate: Security update for grafana

openSUSE Security Update: Security update for grafana
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1611-1
Rating: moderate
References: #1044444 #1044933 #1115960 #1170557
Cross-References: CVE-2018-19039 CVE-2019-15043 CVE-2020-12245
CVE-2020-13379
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for grafana fixes the following issues:

grafana was updated to version 7.1.5:

* Features / Enhancements

- Stats: Stop counting the same user multiple times.
- Field overrides: Filter by field name using regex.
- AzureMonitor: map more units.
- Explore: Don't run queries on datasource change.
- Graph: Support setting field unit & override data source (automatic)
unit.
- Explore: Unification of logs/metrics/traces user interface
- Table: JSON Cell should try to convert strings to JSON
- Variables: enables cancel for slow query variables queries.
- TimeZone: unify the time zone pickers to one that can rule them all.
- Search: support URL query params.
- Grafana-UI: Add FileUpload.
- TablePanel: Sort numbers correctly.

* Bug fixes

- Alerting: remove LongToWide call in alerting.
- AzureMonitor: fix panic introduced in 7.1.4 when unit was
unspecified and alias was used.
- Variables: Fixes issue with All variable not being resolved.
- Templating: Fixes so texts show in picker not the values.
- Templating: Templating: Fix undefined result when using raw
interpolation format
- TextPanel: Fix content overflowing panel boundaries.
- StatPanel: Fix stat panel display name not showing when explicitly
set.
- Query history: Fix search filtering if null value.
- Flux: Ensure connections to InfluxDB are closed.
- Dashboard: Fix for viewer can enter panel edit mode by modifying url
(but cannot not save anything).
- Prometheus: Fix prom links in mixed mode.
- Sign In Use correct url for the Sign In button.
- StatPanel: Fixes issue with name showing for single series / field
results
- BarGauge: Fix space bug in single series mode.
- Auth: Fix POST request failures with anonymous access
- Templating: Fix recursive loop of template variable queries when
changing ad-hoc-variable
- Templating: Fixed recursive queries triggered when switching
dashboard settings view
- GraphPanel: Fix annotations overflowing panels.
- Prometheus: Fix performance issue in processing of histogram labels.
- Datasources: Handle URL parsing error.
- Security: Use Header.Set and Header.Del for X-Grafana-User header.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2020-1611=1


Package List:

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

grafana-7.1.5-bp151.2.1

References:

  https://www.suse.com/security/cve/CVE-2018-19039.html
  https://www.suse.com/security/cve/CVE-2019-15043.html
  https://www.suse.com/security/cve/CVE-2020-12245.html
  https://www.suse.com/security/cve/CVE-2020-13379.html
  https://bugzilla.suse.com/1044444
  https://bugzilla.suse.com/1044933
  https://bugzilla.suse.com/1115960
  https://bugzilla.suse.com/1170557