Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in grafana und mybatis
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in grafana und mybatis
ID: SUSE-SU-2024:1530-2
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Desktop 15 SP6, SUSE Linux Enterprise Server for SAP Applications 15 SP6, SUSE Linux Enterprise Server 15 SP6, SUSE Linux Enterprise Real Time 15 SP6, SUSE openSUSE Leap 15.6, SUSE Package Hub 15 15-SP6
Datum: Mo, 24. Juni 2024, 23:16
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1313
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6152
Applikationen: mybatis, Grafana

Originalnachricht

--===============6109053219811130584==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit



# Security update for grafana and mybatis

Announcement ID: SUSE-SU-2024:1530-2
Rating: moderate
References:

* bsc#1219912
* bsc#1222155
* jsc#MSQA-760


Cross-References:

* CVE-2023-6152
* CVE-2024-1313


CVSS scores:

* CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2024-1313 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N


Affected Products:

* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Package Hub 15 15-SP6



An update that solves two vulnerabilities and contains one feature can now be
installed.

## Description:

This update for grafana and mybatis fixes the following issues:

grafana was updated to version 9.5.18:

* Grafana now requires Go 1.20
* Security issues fixed:

* CVE-2024-1313: Require same organisation when deleting snapshots
(bsc#1222155)

* CVE-2023-6152: Add email verification when updating user email
(bsc#1219912)

* Other non-security related changes:

* Version 9.5.17:

* [FEATURE] Alerting: Backport use Alertmanager API v2
* Version 9.5.16:

* [BUGFIX] Annotations: Split cleanup into separate queries and deletes to
avoid deadlocks on MySQL
* Version 9.5.15:

* [FEATURE] Alerting: Attempt to retry retryable errors
* Version 9.5.14:

* [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and
ref_id labels in state after Error
* [BUGFIX] Transformations: Config overrides being lost when config from
query transform is applied
* [BUGFIX] LDAP: Fix enable users on successfull login
* Version 9.5.13:

* [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
* [BUGFIX] Licensing: Pass func to update env variables when starting
plugin
* Version 9.5.12:

* [FEATURE] Azure: Add support for Workload Identity authentication
* Version 9.5.9:

* [FEATURE] SSE: Fix DSNode to not panic when response has empty response
* [FEATURE] Prometheus: Handle the response with different field key order
* [BUGFIX] LDAP: Fix user disabling

mybatis:

* `apache-commons-ognl` is now a non-optional dependency
* Fixed building with log4j v1 and v2 dependencies

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2024-1530=1

* SUSE Package Hub 15 15-SP6
zypper in -t patch
SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1530=1

## Package List:

* openSUSE Leap 15.6 (noarch)
* mybatis-javadoc-3.5.6-150200.5.6.1
* mybatis-3.5.6-150200.5.6.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* grafana-9.5.18-150200.3.56.1
* grafana-debuginfo-9.5.18-150200.3.56.1
* SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
* grafana-9.5.18-150200.3.56.1
* grafana-debuginfo-9.5.18-150200.3.56.1

## References:

* https://www.suse.com/security/cve/CVE-2023-6152.html
* https://www.suse.com/security/cve/CVE-2024-1313.html
* https://bugzilla.suse.com/show_bug.cgi?id=1219912
* https://bugzilla.suse.com/show_bug.cgi?id=1222155
* https://jira.suse.com/browse/MSQA-760


--===============6109053219811130584==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit




<div class="container">
<h1>Security update for grafana and mybatis</h1>

<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:1530-2</td>
</tr>

<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219912">bsc#1219912</a>
</li>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222155">bsc#1222155</a>
</li>


<li style="display: inline;">
<a href="https://jira.suse.com/browse/MSQA-760">jsc#MSQA-760</a>
</li>

</ul>
</td>
</tr>

<tr>
<th>
Cross-References:
</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-6152.html">CVE-2023-6152</a>
</li>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-1313.html">CVE-2024-1313</a>
</li>

</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">

<li class="list-group-item">
<span
class="cvss-reference">CVE-2023-6152</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">5.4</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2024-1313</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">6.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</span>
</li>

</ul>
</td>
</tr>

<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">

<li class="list-group-item">openSUSE Leap
15.6</li>

<li class="list-group-item">SUSE Linux
Enterprise Desktop 15 SP6</li>

<li class="list-group-item">SUSE Linux
Enterprise Real Time 15 SP6</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP6</li>

<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 15 SP6</li>

<li class="list-group-item">SUSE Package
Hub 15 15-SP6</li>

</ul>
</td>
</tr>
</tbody>
</table>

<p>An update that solves two vulnerabilities and contains one feature
can now be installed.</p>





<h2>Description:</h2>

<p>This update for grafana and mybatis fixes the following
issues:</p>
<p>grafana was updated to version 9.5.18:</p>
<ul>
<li>Grafana now requires Go 1.20</li>
<li>
<p>Security issues fixed:</p>
</li>
<li>
<p>CVE-2024-1313: Require same organisation when deleting snapshots
(bsc#1222155)</p>
</li>
<li>
<p>CVE-2023-6152: Add email verification when updating user email
(bsc#1219912)</p>
</li>
<li>
<p>Other non-security related changes:</p>
</li>
<li>
<p>Version 9.5.17:</p>
<ul>
<li>[FEATURE] Alerting: Backport use Alertmanager API v2</li>
</ul>
</li>
<li>
<p>Version 9.5.16:</p>
<ul>
<li>[BUGFIX] Annotations: Split cleanup into separate queries and
deletes to avoid deadlocks on MySQL</li>
</ul>
</li>
<li>
<p>Version 9.5.15:</p>
<ul>
<li>[FEATURE] Alerting: Attempt to retry retryable errors</li>
</ul>
</li>
<li>
<p>Version 9.5.14:</p>
<ul>
<li>[BUGFIX] Alerting: Fix state manager to not keep
datasource_uid and ref_id labels in state after Error</li>
<li>[BUGFIX] Transformations: Config overrides being lost when
config from query transform is applied</li>
<li>[BUGFIX] LDAP: Fix enable users on successfull login</li>
</ul>
</li>
<li>
<p>Version 9.5.13:</p>
<ul>
<li>[BUGFIX] BrowseDashboards: Only remember the most recent
expanded folder</li>
<li>[BUGFIX] Licensing: Pass func to update env variables when
starting plugin</li>
</ul>
</li>
<li>
<p>Version 9.5.12:</p>
<ul>
<li>[FEATURE] Azure: Add support for Workload Identity
authentication</li>
</ul>
</li>
<li>
<p>Version 9.5.9:</p>
<ul>
<li>[FEATURE] SSE: Fix DSNode to not panic when response has empty
response</li>
<li>[FEATURE] Prometheus: Handle the response with different field
key order</li>
<li>[BUGFIX] LDAP: Fix user disabling</li>
</ul>
</li>
</ul>
<p>mybatis:</p>
<ul>
<li><code>apache-commons-ognl</code> is now a non-optional
dependency</li>
<li>Fixed building with log4j v1 and v2 dependencies</li>
</ul>





<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper
patch".<br/>

Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">

<li class="list-group-item">
openSUSE Leap 15.6


<br/>
<code>zypper in -t patch
openSUSE-SLE-15.6-2024-1530=1</code>



</li>

<li class="list-group-item">
SUSE Package Hub 15 15-SP6


<br/>
<code>zypper in -t patch
SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1530=1</code>



</li>

</ul>

<h2>Package List:</h2>
<ul>


<li>
openSUSE Leap 15.6 (noarch)
<ul>


<li>mybatis-javadoc-3.5.6-150200.5.6.1</li>

<li>mybatis-3.5.6-150200.5.6.1</li>

</ul>
</li>

<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
<ul>

<li>grafana-9.5.18-150200.3.56.1</li>


<li>grafana-debuginfo-9.5.18-150200.3.56.1</li>

</ul>
</li>



<li>
SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
<ul>

<li>grafana-9.5.18-150200.3.56.1</li>


<li>grafana-debuginfo-9.5.18-150200.3.56.1</li>

</ul>
</li>


</ul>


<h2>References:</h2>
<ul>


<li>
<a href="https://www.suse.com/security/cve/CVE-2023-6152.html">https://www.suse.com/security/cve/CVE-2023-6152.html</a>
</li>



<li>
<a href="https://www.suse.com/security/cve/CVE-2024-1313.html">https://www.suse.com/security/cve/CVE-2024-1313.html</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219912">https://bugzilla.suse.com/show_bug.cgi?id=1219912</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1222155">https://bugzilla.suse.com/show_bug.cgi?id=1222155</a>
</li>



<li>
<a href="https://jira.suse.com/browse/MSQA-760">https://jira.suse.com/browse/MSQA-760</a>
</li>


</ul>

</div>

--===============6109053219811130584==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung