openSUSE Security Update: Security update for grafana ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1611-1 Rating: moderate References: #1044444 #1044933 #1115960 #1170557 Cross-References: CVE-2018-19039 CVE-2019-15043 CVE-2020-12245 CVE-2020-13379 Affected Products: openSUSE Backports SLE-15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for grafana fixes the following issues: grafana was updated to version 7.1.5: * Features / Enhancements - Stats: Stop counting the same user multiple times. - Field overrides: Filter by field name using regex. - AzureMonitor: map more units. - Explore: Don't run queries on datasource change. - Graph: Support setting field unit & override data source (automatic) unit. - Explore: Unification of logs/metrics/traces user interface - Table: JSON Cell should try to convert strings to JSON - Variables: enables cancel for slow query variables queries. - TimeZone: unify the time zone pickers to one that can rule them all. - Search: support URL query params. - Grafana-UI: Add FileUpload. - TablePanel: Sort numbers correctly. * Bug fixes - Alerting: remove LongToWide call in alerting. - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. - Variables: Fixes issue with All variable not being resolved. - Templating: Fixes so texts show in picker not the values. - Templating: Templating: Fix undefined result when using raw interpolation format - TextPanel: Fix content overflowing panel boundaries. - StatPanel: Fix stat panel display name not showing when explicitly set. - Query history: Fix search filtering if null value. - Flux: Ensure connections to InfluxDB are closed. - Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything). - Prometheus: Fix prom links in mixed mode. - Sign In Use correct url for the Sign In button. - StatPanel: Fixes issue with name showing for single series / field results - BarGauge: Fix space bug in single series mode. - Auth: Fix POST request failures with anonymous access - Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable - Templating: Fixed recursive queries triggered when switching dashboard settings view - GraphPanel: Fix annotations overflowing panels. - Prometheus: Fix performance issue in processing of histogram labels. - Datasources: Handle URL parsing error. - Security: Use Header.Set and Header.Del for X-Grafana-User header. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-1611=1 Package List: - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): grafana-7.1.5-bp151.2.1 References: https://www.suse.com/security/cve/CVE-2018-19039.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2020-12245.html https://www.suse.com/security/cve/CVE-2020-13379.html https://bugzilla.suse.com/1044444 https://bugzilla.suse.com/1044933 https://bugzilla.suse.com/1115960 https://bugzilla.suse.com/1170557 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org