grafana-10.2.6-21.el9_7

エラータID: AXSA:2026-536:12

Release date: 
Monday, May 4, 2026 - 17:03
Subject: 
grafana-10.2.6-21.el9_7
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Solution: 

Update packages.

CVEs: 
CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. grafana-10.2.6-21.el9_7.src.rpm
    MD5: 545f4dd8597f8271a79e0ace26f77cf2
    SHA-256: ac499fbbbe67aae1e9270bd0bd5aaf31803118baa5539195eac28c8db7bef8cd
    Size: 335.91 MB

Asianux Server 9 for x86_64
  1. grafana-10.2.6-21.el9_7.x86_64.rpm
    MD5: 0a3f8881c853092c57f3cb0b05843df9
    SHA-256: b51c80965f310afec08378013c30de9aad18947b62e19e20b7b052fe10b8257a
    Size: 113.39 MB
  2. grafana-selinux-10.2.6-21.el9_7.x86_64.rpm
    MD5: 602d00d10e7cef96c02f45414465d81a
    SHA-256: 86866e8052f3d5ee5534c799e59bdbec545fe1026712f36fb958d6e2dc667df8
    Size: 24.96 kB