Security update for grafana and mybatis

Announcement ID:	SUSE-SU-2024:1530-1
Rating:	moderate
References:	bsc#1219912 bsc#1222155 jsc#MSQA-760
Cross-References:	CVE-2023-6152 CVE-2024-1313
CVSS scores:	CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2024-1313 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:	openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Package Hub 15 15-SP5

An update that solves two vulnerabilities and contains one feature can now be installed.

Description:

This update for grafana and mybatis fixes the following issues:

grafana was updated to version 9.5.18:

• Grafana now requires Go 1.20

• Security issues fixed:

• CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)

• CVE-2023-6152: Add email verification when updating user email (bsc#1219912)

• Other non-security related changes:

• Version 9.5.17:

  • [FEATURE] Alerting: Backport use Alertmanager API v2

• Version 9.5.16:

  • [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL

• Version 9.5.15:

  • [FEATURE] Alerting: Attempt to retry retryable errors

• Version 9.5.14:

  • [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error
  • [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied
  • [BUGFIX] LDAP: Fix enable users on successfull login

• Version 9.5.13:

  • [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
  • [BUGFIX] Licensing: Pass func to update env variables when starting plugin

• Version 9.5.12:

  • [FEATURE] Azure: Add support for Workload Identity authentication

• Version 9.5.9:

  • [FEATURE] SSE: Fix DSNode to not panic when response has empty response
  • [FEATURE] Prometheus: Handle the response with different field key order
  • [BUGFIX] LDAP: Fix user disabling

mybatis:

• apache-commons-ognl is now a non-optional dependency
• Fixed building with log4j v1 and v2 dependencies

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1530=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-1530=1

Package List:

• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
  • grafana-9.5.18-150200.3.56.1
  • grafana-debuginfo-9.5.18-150200.3.56.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • grafana-9.5.18-150200.3.56.1
  • grafana-debuginfo-9.5.18-150200.3.56.1
• openSUSE Leap 15.5 (noarch)
  • mybatis-3.5.6-150200.5.6.1
  • mybatis-javadoc-3.5.6-150200.5.6.1

References:

• https://www.suse.com/security/cve/CVE-2023-6152.html
• https://www.suse.com/security/cve/CVE-2024-1313.html
• https://bugzilla.suse.com/show_bug.cgi?id=1219912
• https://bugzilla.suse.com/show_bug.cgi?id=1222155
• https://jira.suse.com/browse/MSQA-760