Overview

File _patchinfo of Package patchinfo.43047

<patchinfo incident="43047">
  <issue tracker="ijsc" id="MSQA-1045"/>
  <issue tracker="cve" id="2026-21721"/>
  <issue tracker="cve" id="2025-68156"/>
  <issue tracker="cve" id="2026-21722"/>
  <issue tracker="cve" id="2026-21720"/>
  <issue tracker="cve" id="2025-3415"/>
  <issue tracker="bnc" id="1245302">VUL-0: CVE-2025-3415: grafana: exposure of DingDing alerting integration URL to Viewer level users</issue>
  <issue tracker="bnc" id="1255340">VUL-0: CVE-2025-68156: grafana: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service</issue>
  <issue tracker="bnc" id="1258136">VUL-0: CVE-2026-21722: grafana: entire history of annotations visible due to public dashboards not limiting their annotation timerange to the locked timerange of the public dashboard</issue>
  <issue tracker="bnc" id="1257349">VUL-0: CVE-2026-21720: grafana: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image</issue>
  <issue tracker="bnc" id="1257337">VUL-0: CVE-2026-21721: grafana: improper access control by the dashboard permissions API allows users with permission management rights on one dashboard to read and modify permissions on other dashboards</issue>
  <packager>PSuarezHernandez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for grafana</summary>
  <description>This update for grafana fixes the following issues:

- Security issues fixed:

  - CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136)
  - CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337)
  - CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349)
  - CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340)
  - CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302)

- Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes:
 
  - Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and
    removed blurred backgrounds from UI overlays to speed up the interface.
  - One-Click Actions: Visualizations now support faster navigation via one-click links and actions.
  - Alerting History: Added version history for alert rules, allowing you to track changes over time.
  - Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup.
  - Cron Support: Annotations now support Cron syntax for more flexible scheduling.
  - Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues 
    when Grafana is hosted on a subpath.
  - Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting.
  - Alerting Limits: Added size limits for expanded notification templates to prevent system strain.
  - RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field.
  - Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated
    rows or nested queries.
  - Dashboard Reliability: Resolved bugs involving row repeats and "self-referencing" data links.
  - Alerting Fixes: Patched a critical "panic" (crash) caused by a race condition in alert rules and fixed issues where
    contact points weren't working correctly.
  - URL Handling: Fixed a bug where "true" values in URL parameters weren't being read correctly
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places