File _patchinfo of Package patchinfo.28005

<patchinfo incident="28005">
  <issue tracker="bnc" id="1208065">VUL-0: CVE-2022-46146: grafana: prometheus/exporter-toolkit: authentication bypass via cache poisoning</issue>
  <issue tracker="bnc" id="1207750">VUL-0: CVE-2022-39324: grafana: Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the</issue>
  <issue tracker="bnc" id="1207749">VUL-0: CVE-2022-23552: grafana: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plu</issue>
  <issue tracker="bnc" id="1208293">VUL-0: CVE-2022-41723: grafana: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding</issue>
  <issue tracker="cve" id="2022-39324"/>
  <issue tracker="cve" id="2022-23552"/>
  <issue tracker="cve" id="2022-46146"/>
  <issue tracker="cve" id="2022-41723"/>
  <packager>juliogonzalezgil</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for grafana</summary>
  <description>This update for grafana fixes the following issues:

- CVE-2022-23552: Fixed SVG processing by adding a dompurify preprocessor step (bsc#1207749).
- CVE-2022-39324: Fixed originalUrl spoof security issue (bsc#1207750).
- CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208293).
- CVE-2022-46146: Fixed basic authentication bypass by updating the exporter toolkit (bsc#1208065).
- Trim leading and trailing whitespaces from email and username on signup
- Fix invitation validation: Check whether the provided email address is the same as where the invitation is sent
</description>
</patchinfo>