-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security and enhancement update Advisory ID: RHSA-2023:2167-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2167 Issue date: 2023-05-09 CVE Names: CVE-2022-2880 CVE-2022-27664 CVE-2022-35957 CVE-2022-39229 CVE-2022-41715 ==================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957) * grafana: using email as a username can block other users from signing in (CVE-2022-39229) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2095421 - [RFE] grafana use systemd-sysusers 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2125514 - CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used 2127218 - [RHEL9][FTBFS] grafana-9.0.8-1.el9 FTBFS on Red Hat Enterprise Linux 9 - 9.1 2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: grafana-9.0.9-2.el9.src.rpm aarch64: grafana-9.0.9-2.el9.aarch64.rpm grafana-debuginfo-9.0.9-2.el9.aarch64.rpm grafana-debugsource-9.0.9-2.el9.aarch64.rpm ppc64le: grafana-9.0.9-2.el9.ppc64le.rpm grafana-debuginfo-9.0.9-2.el9.ppc64le.rpm grafana-debugsource-9.0.9-2.el9.ppc64le.rpm s390x: grafana-9.0.9-2.el9.s390x.rpm grafana-debuginfo-9.0.9-2.el9.s390x.rpm grafana-debugsource-9.0.9-2.el9.s390x.rpm x86_64: grafana-9.0.9-2.el9.x86_64.rpm grafana-debuginfo-9.0.9-2.el9.x86_64.rpm grafana-debugsource-9.0.9-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-35957 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFo0OtzjgjWX9erEAQi5wg/+Naw+sewu3qSEpfke3GNvMoAA65fGWnjh wlX06wlDVjaEbhytkDHs6hZwQgp86SQdlrfgCyXCgTY3hS5o6QSS8mehC2/t6/dS 9fh8VSmj9Xrv20fS/DwmvnFNjC+Zl8feDEnGAenOQLuV14FZVwb2SDKOzFSc8r5q /BsQb1cNDGwFGJrrnfHuM8FXkNZMoIUttKLocjwhDmtkaD9PWxCFKAfepJVDtAGR x/MTFYarz/8pWvY9qXNoiiYv//y9tc0oa0KV/yWAW5TMpJnlxiUV9d1XJtA6DpSo hSdGo8fR9xsmdhGdorndtQrusXmwohVU3MI/L9L0Hcq7w+i68mBNh9FZt3KHnBAE kSC+1af0fsdOTWCCjIW1B9PfPScxRw1mnUs+3E7XWmEBtuZ+vfWp2MV3XyB9SGu5 +MSryIVrgcyZpSG/1Z192J03R3ql0tumQsR6Er59x1uFP/wp5u3/qG78hb8E3mfn nlGEKrYd8QR44CPazVIRKrGPEj5QICRafvT/8sIcYCjsUGp1IcfXTz0oHEFzaEIF UlGqhrTK/U3YnchRdHKV2BhAz2meyuGgznlnr3IzOxahbzdFr4pPrH61E22lNkqg 2HNSSpcG/svIKgeIN8ChkN4S4ZUfLxj36Bsq//DLzmAeFtzZo/uUohacB488g4Nb 13bLH6cGT4c=JE9B -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce