Security update for grafana

Announcement ID: SUSE-SU-2022:4428-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2021-36222 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-36222 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-3711 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-3711 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-41174 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
  • CVE-2021-41174 ( NVD ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
  • CVE-2021-41244 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • CVE-2021-41244 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-43798 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-43798 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-43813 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-43813 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-43815 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-43815 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2022-29170 ( SUSE ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
  • CVE-2022-29170 ( NVD ): 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
  • CVE-2022-31097 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  • CVE-2022-31097 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • CVE-2022-31107 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
  • CVE-2022-31107 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-35957 ( SUSE ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-35957 ( NVD ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-36062 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
  • CVE-2022-36062 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Affected Products:
  • openSUSE Leap 15.4
  • SUSE Linux Enterprise Desktop 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise Micro 5.3
  • SUSE Linux Enterprise Micro 5.4
  • SUSE Linux Enterprise Real Time 15 SP4
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3
  • SUSE Package Hub 15 15-SP4

An update that solves 12 vulnerabilities and contains one feature can now be installed.

Description:

This update for grafana fixes the following issues:

Version update from 8.3.10 to 8.5.13 (jsc#PED-2145):

  • Security fixes:
  • CVE-2022-36062: (bsc#1203596)
  • CVE-2022-35957: (bsc#1203597)
  • CVE-2022-31107: (bsc#1201539)
  • CVE-2022-31097: (bsc#1201535)
  • CVE-2022-29170: (bsc#1199810)
  • CVE-2021-43813, CVE-2021-43815: (bsc#1193686)
  • CVE-2021-43798: (bsc#1193492)
  • CVE-2021-41244: (bsc#1192763)
  • CVE-2021-41174: (bsc#1192383)
  • CVE-2021-3711: (bsc#1189520)
  • CVE-2021-36222: (bsc#1188571)

  • Features and enhancements:

  • AccessControl: Disable user remove and user update roles when they do not have the permissions
  • AccessControl: Provisioning for teams
  • Alerting: Add custom grouping to Alert Panel
  • Alerting: Add safeguard for migrations that might cause dataloss
  • Alerting: AlertingProxy to elevate permissions for request forwarded to data proxy when RBAC enabled
  • Alerting: Grafana uses > instead of >= when checking the For duration
  • Alerting: Move slow queries in the scheduler to another goroutine
  • Alerting: Remove disabled flag for data source when migrating alerts
  • Alerting: Show notification tab of legacy alerting only to editor
  • Alerting: Update migration to migrate only alerts that belon to existing org\dashboard
  • Alerting: Use expanded labels in dashboard annotations
  • Alerting: Use time.Ticker instead of alerting.Ticker in ngalert
  • Analytics: Add user id tracking to google analytics
  • Angular: Add AngularJS plugin support deprecation plan to docs site
  • API: Add usage stats preview endpoint
  • API: Extract OpenAPI specification from source code using go-swagger
  • Auth: implement auto_sign_up for auth.jwt
  • Azure monitor Logs: Optimize data fetching in resource picker
  • Azure Monitor Logs: Order subscriptions in resource picker by name
  • Azure Monitor: Include datasource ref when interpolating variables.
  • AzureMonitor: Add support for not equals and startsWith operators when creating Azure Metrics dimension filters.
  • AzureMonitor: Do not quote variables when a custom "All" variable option is used
  • AzureMonitor: Filter list of resources by resourceType
  • AzureMonitor: Update allowed namespaces
  • BarChart: color by field, x time field, bar radius, label skipping
  • Chore: Implement OpenTelemetry in Grafana
  • Cloud Monitoring: Adds metric type to Metric drop down options
  • CloudMonitor: Correctly encode default project response
  • CloudWatch: Add all ElastiCache Redis Metrics
  • CloudWatch: Add Data Lifecycle Manager metrics and dimension
  • CloudWatch: Add Missing Elasticache Host-level metrics
  • CloudWatch: Add multi-value template variable support for log group names in logs query builder
  • CloudWatch: Add new AWS/ES metrics. #43034, @sunker
  • Cloudwatch: Add support for AWS/PrivateLink* metrics and dimensions
  • Cloudwatch: Add support for new AWS/RDS EBS* metrics
  • Cloudwatch: Add syntax highlighting and autocomplete for "Metric Search"
  • Cloudwatch: Add template variable query function for listing log groups
  • Configuration: Add ability to customize okta login button name and icon
  • Elasticsearch: Add deprecation notice for < 7.10 versions.
  • Explore: Support custom display label for exemplar links for Prometheus datasource
  • Hotkeys: Make time range absolute/permanent
  • InfluxDB: Use backend for influxDB by default via feature toggle
  • Legend: Use correct unit for percent and count calculations
  • Logs: Escape windows newline into single newline
  • Loki: Add unpack to autocomplete suggestions
  • Loki: Use millisecond steps in Grafana 8.5.x.
  • Playlists: Enable sharing direct links to playlists
  • Plugins: Allow using both Function and Class components for app plugins
  • Plugins: Expose emotion/react to plugins to prevent load failures
  • Plugins: Introduce HTTP 207 Multi Status response to api/ds/query
  • Rendering: Add support for renderer token
  • Setting: Support configuring feature toggles with bools instead of just passing an array
  • SQLStore: Prevent concurrent migrations
  • SSE: Add Mode to drop NaN/Inf/Null in Reduction operations
  • Tempo: Switch out Select with AsyncSelect component to get loading state in Tempo Search
  • TimeSeries: Add migration for Graph panel's transform series override
  • TimeSeries: Add support for negative Y and constant transform
  • TimeSeries: Preserve null/undefined values when performing negative y transform
  • Traces: Filter by service/span name and operation in Tempo and Jaeger
  • Transformations: Add 'JSON' field type to ConvertFieldTypeTransformer
  • Transformations: Add an All Unique Values Reducer
  • Transformers: avoid error when the ExtractFields source field is missing

  • Breaking changes:

  • For a data source query made via /api/ds/query:
    • If the DatasourceQueryMultiStatus feature is enabled and the data source response has an error set as part of the DataResponse, the resulting HTTP status code is now '207 Multi Status' instead of '400 Bad gateway'
    • If the DatasourceQueryMultiStatus feature is not enabled and the data source response has an error set as part of the DataResponse, the resulting HTTP status code is '400 BadRequest' (no breaking change)
  • For a proxied request, e.g. Grafana's datasource or plugin proxy:

    • If the request is cancelled, e.g. from the browser/by the client, the HTTP status code is now '499 Client closed' request instead of 502 Bad gateway If the request times out, e.g. takes longer time than allowed, the HTTP status code is now '504 Gateway timeout' instead of '502 Bad gateway'.
    • The change in behavior is that negative-valued series are now stacked downwards from 0 (in their own stacks), rather than downwards from the top of the positive stacks. We now automatically group stacks by Draw style, Line interpolation, and Bar alignment, making it impossible to stack bars on top of lines, or smooth lines on top of stepped lines
    • The meaning of the default data source has now changed from being a persisted property in a panel. Before when you selected the default data source for a panel and later changed the default data source to another data source it would change all panels who were configured to use the default data source. From now on the default data source is just the default for new panels and changing the default will not impact any currently saved dashboards
    • The Tooltip component provided by @grafana/ui is no longer automatically interactive (that is you can hover onto it and click a link or select text). It will from now on by default close automatically when you mouse out from the trigger element. To make tooltips behave like before set the new interactive property to true.
  • Deprecations:

  • /api/tsdb/query API has been deprecated, please use /api/ds/query instead
  • AngularJS plugin support is now in a deprecated state. The documentation site has an article with more details on why, when, and how

  • Bug fixes:

  • Alerting: Add contact points provisioning API
  • Alerting: add field for custom slack endpoint
  • Alerting: Add resolved count to notification title when both firing and resolved present
  • Alerting: Alert rule should wait For duration when execution error state is Alerting
  • Alerting: Allow disabling override timings for notification policies
  • Alerting: Allow serving images from custom url path
  • Alerting: Apply Custom Headers to datasource queries
  • Alerting: Classic conditions can now display multiple values
  • Alerting: correctly show all alerts in a folder
  • Alerting: Display query from grafana-managed alert rules on /api/v1/rules
  • Alerting: Do not overwrite existing alert rule condition
  • Alerting: Enhance support for arbitrary group names in managed alerts
  • Alerting: Fix access to alerts for viewer with editor permissions when RBAC is disabled
  • Alerting: Fix anonymous access to alerting
  • Alerting: Fix migrations by making send_alerts_to field nullable
  • Alerting: Fix RBAC actions for notification policies
  • Alerting: Fix use of > instead of >= when checking the For duration
  • Alerting: Remove double quotes from matchers
  • API: Include userId, orgId, uname in request logging middleware
  • Auth: Guarantee consistency of signed SigV4 headers
  • Azure Monitor : Adding json formatting of error messages in Panel Header Corner and Inspect Error Tab
  • Azure Monitor: Add 2 more Curated Dashboards for VM Insights
  • Azure Monitor: Bug Fix for incorrect variable cascading for template variables
  • Azure Monitor: Fix space character encoding for metrics query link to Azure Portal
  • Azure Monitor: Fixes broken log queries that use workspace
  • Azure Monitor: Small bug fixes for Resource Picker
  • AzureAd Oauth: Fix strictMode to reject users without an assigned role
  • AzureMonitor: Fixes metric definition for Azure Storage queue/file/blob/table resources
  • Cloudwatch : Fixed reseting metric name when changing namespace in Metric Query
  • CloudWatch: Added missing MemoryDB Namespace metrics
  • CloudWatch: Fix MetricName resetting on Namespace change.
  • Cloudwatch: Fix template variables in variable queries.
  • CloudWatch: Fix variable query tag migration
  • CloudWatch: Handle new error codes for MetricInsights
  • CloudWatch: List all metrics properly in SQL autocomplete
  • CloudWatch: Prevent log groups from being removed on query change
  • CloudWatch: Remove error message when using multi-valued template vars in region field
  • CloudWatch: Run query on blur in logs query field
  • CloudWatch: Use default http client from aws-sdk-go
  • Dashboard: Fix dashboard update permission check
  • Dashboard: Fixes random scrolling on time range change
  • Dashboard: Template variables are now correctly persisted when clicking breadcrumb links
  • DashboardExport: Fix exporting and importing dashboards where query data source ended up as incorrect
  • DashboardPage: Remember scroll position when coming back panel edit / view panel
  • Dashboards: Fixes repeating by row and no refresh
  • Dashboards: Show changes in save dialog
  • DataSource: Default data source is no longer a persisted state but just the default data source for new panels
  • DataSourcePlugin API: Allow queries import when changing data source type
  • Elasticsearch: Respect maxConcurrentShardRequests datasource setting
  • Explore: Allow users to save Explore state to a new panel in a new dashboard
  • Explore: Avoid locking timepicker when range is inverted.
  • Explore: Fix closing split pane when logs panel is used
  • Explore: Prevent direct access to explore if disabled via feature toggle
  • Explore: Remove return to panel button
  • FileUpload: clicking the Upload file button now opens their modal correctly
  • Gauge: Fixes blank viz when data link exists and orientation was horizontal
  • GrafanaUI: Fix color of links in error Tooltips in light theme
  • Histogram Panel: Take decimal into consideration
  • InfluxDB: Fixes invalid no data alerts. #48295, @yesoreyeram
  • Instrumentation: Fix HTTP request instrumentation of authentication failures
  • Instrumentation: Make backend plugin metrics endpoints available with optional authentication
  • Instrumentation: Proxy status code correction and various improvements
  • LibraryPanels: Fix library panels not connecting properly in imported dashboards
  • LibraryPanels: Prevent long descriptions and names from obscuring the delete button
  • Logger: Use specified format for file logger
  • Logging: Introduce feature toggle to activate gokit/log format
  • Logs: Handle missing fields in dataframes better
  • Loki: Improve unpack parser handling
  • ManageDashboards: Fix error when deleting all dashboards from folder view
  • Middleware: Fix IPv6 host parsing in CSRF check
  • Navigation: Prevent navbar briefly showing on login
  • NewsPanel: Add support for Atom feeds. #45390, @kaydelaney
  • OAuth: Fix parsing of ID token if header contains non-string value
  • Panel Edit: Options search now works correctly when a logarithmic scale option is set
  • Panel Edit: Visualization search now works correctly with special characters
  • Plugins Catalog: Fix styling of hyperlinks
  • Plugins: Add deprecation notice for /api/tsdb/query endpoint
  • Plugins: Adding support for traceID field to accept variables
  • Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios
  • Postgres: Return tables with hyphenated schemes
  • PostgreSQL: __unixEpochGroup to support arithmetic expression as argument
  • Profile/Help: Expose option to disable profile section and help menu
  • Prometheus: Enable new visual query builder by default
  • Provisioning: Fix duplicate validation when multiple organizations have been configured inserted
  • RBAC: Fix Anonymous Editors missing dashboard controls
  • RolePicker: Fix menu position on smaller screens
  • SAML: Allow disabling of SAML signups
  • Search: Sort results correctly when using postgres
  • Security: Fixes minor code scanning security warnings in old vendored javascript libs
  • Table panel: Fix horizontal scrolling when pagination is enabled
  • Table panel: Show datalinks for cell display modes JSON View and Gauge derivates
  • Table: Fix filter crashes table
  • Table: New pagination option
  • TablePanel: Add cell inspect option
  • TablePanel: Do not prefix columns with frame name if multipleframes and override active
  • TagsInput: Fix tags remove button accessibility issues
  • Tempo / Trace Viewer: Support Span Links in Trace Viewer
  • Tempo: Download span references in data inspector
  • Tempo: Separate trace to logs and loki search datasource config
  • TextPanel: Sanitize after markdown has been rendered to html
  • TimeRange: Fixes updating time range from url and browser history
  • TimeSeries: Fix detection & rendering of sparse datapoints
  • Timeseries: Fix outside range stale state
  • TimeSeries: Properly stack series with missing datapoints
  • TimeSeries: Sort tooltip values based on raw values
  • Tooltip: Fix links not legible in Tooltips when using light theme
  • Tooltip: Sort decimals using standard numeric compare
  • Trace View: Show number of child spans
  • Transformations: Support escaped characters in key-value pair parsing
  • Transforms: Labels to fields, fix label picker layout
  • Variables: Ensure variables in query params are correctly recognised
  • Variables: Fix crash when changing query variable datasource
  • Variables: Fixes issue with data source variables not updating queries with variable
  • Visualizations: Stack negative-valued series downwards

  • Plugin development fixes:

  • Card: Increase clickable area when meta items are present.
  • ClipboardButton: Use a fallback when the Clipboard API is unavailable
  • Loki: Fix operator description propup from being shortened.
  • OAuth: Add setting to skip org assignment for external users
  • Tooltips: Make tooltips non interactive by default
  • Tracing: Add option to map tag names to log label names in trace to logs settings

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2022-4428=1
  • SUSE Package Hub 15 15-SP4
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4428=1

Package List:

  • openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    • grafana-debuginfo-8.5.13-150200.3.29.5
    • grafana-8.5.13-150200.3.29.5
  • SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x x86_64)
    • grafana-8.5.13-150200.3.29.5

References: