Overview

File _patchinfo of Package patchinfo.33419

<patchinfo incident="33419">
  <issue tracker="ijsc" id="MSQA-760"/>
  <issue tracker="cve" id="2023-6152"/>
  <issue tracker="cve" id="2024-1313"/>
  <issue tracker="bnc" id="1222155">VUL-0: CVE-2024-1313: grafana: authorization bypass on snapshot delete endpoint of different organization</issue>
  <issue tracker="bnc" id="1219912">VUL-0: CVE-2023-6152: grafana: lack of validation on email update on configuration option "verify_email_enabled"</issue>
  <packager>raulosuna</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for grafana and mybatis</summary>
  <description>This update for grafana and mybatis fixes the following issues:

grafana was updated to version 9.5.18:

- Grafana now requires Go 1.20
- Security issues fixed:

  * CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)
  * CVE-2023-6152: Add email verification when updating user email (bsc#1219912)

- Other non-security related changes:

  * Version 9.5.17:

    + [FEATURE] Alerting: Backport use Alertmanager API v2

  * Version 9.5.16:

    + [BUGFIX] Annotations: Split cleanup into separate queries and
      deletes to avoid deadlocks on MySQL

  * Version 9.5.15:

    + [FEATURE] Alerting: Attempt to retry retryable errors

  * Version 9.5.14:

    + [BUGFIX] Alerting: Fix state manager to not keep
      datasource_uid and ref_id labels in state after Error
    + [BUGFIX] Transformations: Config overrides being lost when
      config from query transform is applied
    + [BUGFIX] LDAP: Fix enable users on successfull login

  * Version 9.5.13:

    + [BUGFIX] BrowseDashboards: Only remember the most recent
      expanded folder
    + [BUGFIX] Licensing: Pass func to update env variables when
      starting plugin

  * Version 9.5.12:

    + [FEATURE] Azure: Add support for Workload Identity
      authentication

  * Version 9.5.9:

    + [FEATURE] SSE: Fix DSNode to not panic when response has empty
      response
    + [FEATURE] Prometheus: Handle the response with different field
      key order
    + [BUGFIX] LDAP: Fix user disabling


mybatis:

- `apache-commons-ognl` is now a non-optional dependency
- Fixed building with log4j v1 and v2 dependencies
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places