grafana-9.2.10-20.el8_10

エラータID: AXSA:2024-8935:16

Release date: 
Thursday, October 24, 2024 - 11:27
Subject: 
grafana-9.2.10-20.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-47875
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
CVE-2024-9355
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Solution: 

Update packages.

CVEs: 
CVE-2024-47875
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
CVE-2024-9355
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Additional Info: 

N/A

Download: 

SRPMS
  1. grafana-9.2.10-20.el8_10.src.rpm
    MD5: a293b6108fa6338d5fb7780cbc654b5b
    SHA-256: b08597c5023ba524205c1643dcc51a9ff06d9531457999b50bfe2822bae4bfa7
    Size: 321.49 MB

Asianux Server 8 for x86_64
  1. grafana-9.2.10-20.el8_10.x86_64.rpm
    MD5: 75a9541e299ebd1d868525bc131be163
    SHA-256: 5cca0dfe794af9b59a26a93098bcc1a004cddf78b339d449068d671c54dd9bdc
    Size: 75.52 MB
  2. grafana-selinux-9.2.10-20.el8_10.x86_64.rpm
    MD5: a3c156f974131e0624b8bd4f2ac4a131
    SHA-256: f79879c07458e85263c7236cbe11331c28b851c8a99895ebfc1f37c3a56c626f
    Size: 34.46 kB