# Security update for grafana and mybatis Announcement ID: SUSE-SU-2024:1530-1 Rating: moderate References: * bsc#1219912 * bsc#1222155 * jsc#MSQA-760 Cross-References: * CVE-2023-6152 * CVE-2024-1313 CVSS scores: * CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L * CVE-2024-1313 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Package Hub 15 15-SP5 An update that solves two vulnerabilities and contains one feature can now be installed. ## Description: This update for grafana and mybatis fixes the following issues: grafana was updated to version 9.5.18: * Grafana now requires Go 1.20 * Security issues fixed: * CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155) * CVE-2023-6152: Add email verification when updating user email (bsc#1219912) * Other non-security related changes: * Version 9.5.17: * [FEATURE] Alerting: Backport use Alertmanager API v2 * Version 9.5.16: * [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL * Version 9.5.15: * [FEATURE] Alerting: Attempt to retry retryable errors * Version 9.5.14: * [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error * [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied * [BUGFIX] LDAP: Fix enable users on successfull login * Version 9.5.13: * [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder * [BUGFIX] Licensing: Pass func to update env variables when starting plugin * Version 9.5.12: * [FEATURE] Azure: Add support for Workload Identity authentication * Version 9.5.9: * [FEATURE] SSE: Fix DSNode to not panic when response has empty response * [FEATURE] Prometheus: Handle the response with different field key order * [BUGFIX] LDAP: Fix user disabling mybatis: * `apache-commons-ognl` is now a non-optional dependency * Fixed building with log4j v1 and v2 dependencies ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1530=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-1530=1 ## Package List: * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * grafana-9.5.18-150200.3.56.1 * grafana-debuginfo-9.5.18-150200.3.56.1 * openSUSE Leap 15.5 (noarch) * mybatis-3.5.6-150200.5.6.1 * mybatis-javadoc-3.5.6-150200.5.6.1 ## References: * https://www.suse.com/security/cve/CVE-2023-6152.html * https://www.suse.com/security/cve/CVE-2024-1313.html * https://bugzilla.suse.com/show_bug.cgi?id=1219912 * https://bugzilla.suse.com/show_bug.cgi?id=1222155 * https://jira.suse.com/browse/MSQA-760