grafana-7.3.6-2.el8

エラータID: AXSA:2021-2087:03

Release date: 
Saturday, June 26, 2021 - 08:31
Subject: 
grafana-7.3.6-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (7.3.6).

Security Fix(es):

* crewjam/saml: authentication bypass in saml authentication (CVE-2020-27846)
* grafana: XSS via a query alias for the Elasticsearch and Testdata datasource (CVE-2020-24303)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-24303
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-27846
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Solution: 

Update packages.

CVEs: 
CVE-2020-24303
Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.
CVE-2020-27846
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Additional Info: 

N/A

Download: 

SRPMS
  1. grafana-7.3.6-2.el8.src.rpm
    MD5: 11d91d7ccc5437fca11562516868d2d1
    SHA-256: a7aeff853115f2d95bc08250619e8261999bc76be165e8d84be0ee77a7ef086e
    Size: 115.39 MB

Asianux Server 8 for x86_64
  1. grafana-7.3.6-2.el8.x86_64.rpm
    MD5: 5917e6ee58c175bb86dfb31ee59d8384
    SHA-256: ddd32248447ba590ff3a3d9f43216b5138b4f8ea9b734ffdae9d63b7360ae320
    Size: 37.64 MB