Sicherheit: Zwei Probleme in grafana
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in grafana
ID: FEDORA-2020-d109a1d1d9
Distribution: Fedora
Plattformen: Fedora 31
Datum: Do, 14. Mai 2020, 07:31
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12459
Applikationen: Grafana


Fedora Update Notification
2020-05-14 02:28:00.022635

Name : grafana
Product : Fedora 31
Version : 6.7.3
Release : 1.fc31
URL : https://grafana.org
Summary : Metrics dashboard and graph editor
Description :
Grafana is an open source, feature rich metrics dashboard and graph editor for
Graphite, InfluxDB & OpenTSDB.

Update Information:

rebase to upstream Grafana 6.7.3 - including fix for CVE-2020-12458 and

* Tue Apr 28 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.3-1
- update to 6.7.3 tagged upstream community sources, see CHANGELOG
- add scripts to list Go dependencies and bundled npmjs dependencies
- set Grafana version in Grafana UI and grafana-cli --version
- declare README.md as documentation of datasource plugins
- create grafana.db on first installation (fixes RH BZ #1805472)
- change permissions of /var/lib/grafana to 750 (CVE-2020-12458)
- change permissions of /var/lib/grafana/grafana.db to 640 and
user/group grafana:grafana (CVE-2020-12458)
- change permissions of grafana.ini and ldap.toml to 640 (CVE-2020-12459)
* Wed Feb 26 2020 Mark Goodwin <mgoodwin@redhat.com> 6.6.2-1
- added patch0 to set the version string correctly
- removed patch 004-xerrors.patch, it's now upstream
- added several patches for golang vendored vrs build dep differences
- added patch to move grafana-cli binary to libexec dir
- update to 6.6.2 tagged upstream community sources, see CHANGELOG

[ 1 ] Bug #1827765 - CVE-2020-12458 grafana: information disclosure through
world-readable /var/lib/grafana/grafana.db
[ 2 ] Bug #1829724 - CVE-2020-12459 grafana: information disclosure through
world-readable grafana configuration files

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-d109a1d1d9' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Facebook
Neue Nachrichten