SUSE-SU-2024:1530-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2024/suse-su-20241530-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1530-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:1530-1
Related
Published
2024-05-06T09:52:35Z
Modified
2024-05-06T09:52:35Z
Summary
Security update for grafana and mybatis
Details

This update for grafana and mybatis fixes the following issues:

grafana was updated to version 9.5.18:

  • Grafana now requires Go 1.20

  • Security issues fixed:

    • CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)
    • CVE-2023-6152: Add email verification when updating user email (bsc#1219912)

  • Other non-security related changes:

    • Version 9.5.17:

      • [FEATURE] Alerting: Backport use Alertmanager API v2

    • Version 9.5.16:

      • [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL

    • Version 9.5.15:

      • [FEATURE] Alerting: Attempt to retry retryable errors

    • Version 9.5.14:

      • [BUGFIX] Alerting: Fix state manager to not keep datasourceuid and refid labels in state after Error
      • [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied
      • [BUGFIX] LDAP: Fix enable users on successfull login

    • Version 9.5.13:

      • [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
      • [BUGFIX] Licensing: Pass func to update env variables when starting plugin

    • Version 9.5.12:

      • [FEATURE] Azure: Add support for Workload Identity authentication

    • Version 9.5.9:

      • [FEATURE] SSE: Fix DSNode to not panic when response has empty response
      • [FEATURE] Prometheus: Handle the response with different field key order
      • [BUGFIX] LDAP: Fix user disabling

mybatis:

  • apache-commons-ognl is now a non-optional dependency
  • Fixed building with log4j v1 and v2 dependencies
References

Affected packages

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / grafana

Package

Name
grafana
Purl
purl:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.5.18-150200.3.56.1

Ecosystem specific 

{
    "binaries": [
        {
            "grafana": "9.5.18-150200.3.56.1"
        }
    ]
}

openSUSE:Leap 15.5 / grafana

Package

Name
grafana
Purl
purl:rpm/suse/grafana&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.5.18-150200.3.56.1

Ecosystem specific 

{
    "binaries": [
        {
            "mybatis": "3.5.6-150200.5.6.1",
            "mybatis-javadoc": "3.5.6-150200.5.6.1",
            "grafana": "9.5.18-150200.3.56.1"
        }
    ]
}

openSUSE:Leap 15.5 / mybatis

Package

Name
mybatis
Purl
purl:rpm/suse/mybatis&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.6-150200.5.6.1

Ecosystem specific 

{
    "binaries": [
        {
            "mybatis": "3.5.6-150200.5.6.1",
            "mybatis-javadoc": "3.5.6-150200.5.6.1",
            "grafana": "9.5.18-150200.3.56.1"
        }
    ]
}