Overview

File _patchinfo of Package patchinfo.41611

<patchinfo incident="41611">
  <issue tracker="ijsc" id="MSQA-1034"/>
  <issue tracker="jsc" id="PED-14178"/>
  <issue tracker="cve" id="2025-11065"/>
  <issue tracker="cve" id="2025-6023"/>
  <issue tracker="cve" id="2025-6197"/>
  <issue tracker="cve" id="2025-3415"/>
  <issue tracker="cve" id="2025-64751"/>
  <issue tracker="cve" id="2025-47911"/>
  <issue tracker="cve" id="2025-58190"/>
  <issue tracker="bnc" id="1251454">VUL-0: CVE-2025-47911: grafana: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents</issue>
  <issue tracker="bnc" id="1251657">VUL-0: CVE-2025-58190: grafana: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input</issue>
  <issue tracker="bnc" id="1254113">VUL-0: CVE-2025-64751: grafana: openfga: improper policy enforcement could allow unauthorized access to resources</issue>
  <issue tracker="bnc" id="1246736">VUL-0: CVE-2025-6197: grafana: open redirect in organization switching functionality</issue>
  <issue tracker="bnc" id="1250616">VUL-0: CVE-2025-11065: grafana: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs</issue>
  <issue tracker="bnc" id="1245302">VUL-0: CVE-2025-3415: grafana: exposure of DingDing alerting integration URL to Viewer level users</issue>
  <issue tracker="bnc" id="1246735">VUL-0: CVE-2025-6023: grafana: open redirect can be chained with path traversal vulnerabilities to achieve XSS</issue>
  <packager>raulosuna</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for grafana</summary>
  <description>This update for grafana fixes the following issues:

grafana was updated from version 11.5.5 to 11.5.10:

- Security issues fixed:

  * CVE-2025-64751: Dropped experimental implementation of authorization Zanzana server/client (version 11.5.10)
    (bsc#1254113)
  * CVE-2025-47911: Fixed parsing HTML documents (version 11.5.10) (bsc#1251454)
  * CVE-2025-58190: Fixed excessive memory consumption (version 11.5.10) (bsc#1251657)
  * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616)
  * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735)
  * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736)
  * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6)
                   (bsc#1245302)

- Other changes, new features and bugs fixed:

  * Version 11.5.10:
    + Use forked wire from Grafana repository instead of external package (jsc#PED-14178)
    + Auth: Fix render user OAuth passthrough.
    + LDAP Authentication: Fix URL to propagate username context as parameter.
    + Plugins: Dependencies do not inherit parent URL for preinstall.

  * Version 11.5.9:
    + Auditing: Document new options for recording datasource query request/response body.
    + Login: Fixed redirection after login when Grafana is served from subpath.

  * Version 11.5.7:
    + Azure: Fixed legend formatting and resource name determination in template variable queries.

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places