File _patchinfo of Package patchinfo.27398

<patchinfo incident="27398">
  <issue tracker="bnc" id="1204304">VUL-0: CVE-2022-39229: grafana: using email as a username can block other users from signing in</issue>
  <issue tracker="bnc" id="1204303">VUL-0: CVE-2022-39201: grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins</issue>
  <issue tracker="bnc" id="1205225">VUL-0: CVE-2022-39306: grafana: email addresses and usernames cannot be trusted</issue>
  <issue tracker="bnc" id="1204305">VUL-0: CVE-2022-31130: grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins</issue>
  <issue tracker="bnc" id="1205227">VUL-0: CVE-2022-39307: grafana: user enumeration via forget password</issue>
  <issue tracker="bnc" id="1204302">VUL-0: CVE-2022-31123: grafana: plugin signature bypass</issue>
  <issue tracker="cve" id="2022-39307"/>
  <issue tracker="cve" id="2022-31130"/>
  <issue tracker="cve" id="2022-39229"/>
  <issue tracker="cve" id="2022-39306"/>
  <issue tracker="cve" id="2022-39201"/>
  <issue tracker="cve" id="2022-31123"/>
  <packager>juliogonzalezgil</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for grafana</summary>
  <description>This update for grafana fixes the following issues:

- Version update from 8.5.13 to 8.5.15 (jsc#PED-2617):
  * CVE-2022-39306: Security fix for privilege escalation (bsc#1205225)
  * CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
  * CVE-2022-39201: Do not forward login cookie in outgoing requests (bsc#1204303)
  * CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
  * CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
  * CVE-2022-39229: Fix blocking other users from signing in (bsc#1204304)
</description>
</patchinfo>