-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security update Advisory ID: RHSA-2023:2784-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2784 Issue date: 2023-05-16 CVE Names: CVE-2022-2880 CVE-2022-27664 CVE-2022-39229 CVE-2022-41715 ==================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * grafana: using email as a username can block other users from signing in (CVE-2022-39229) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2131149 - CVE-2022-39229 grafana: using email as a username can block other users from signing in 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: grafana-7.5.15-4.el8.src.rpm aarch64: grafana-7.5.15-4.el8.aarch64.rpm grafana-debuginfo-7.5.15-4.el8.aarch64.rpm ppc64le: grafana-7.5.15-4.el8.ppc64le.rpm grafana-debuginfo-7.5.15-4.el8.ppc64le.rpm s390x: grafana-7.5.15-4.el8.s390x.rpm grafana-debuginfo-7.5.15-4.el8.s390x.rpm x86_64: grafana-7.5.15-4.el8.x86_64.rpm grafana-debuginfo-7.5.15-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGNu8tzjgjWX9erEAQi3/A//ZNXunKcufynj2MKVdgpN78ip1JtFsJh+ usq5Sw4bh/P/puynq+cbnTs2VpOvpjomq80T6rLKr+ia2Fbdbgt0YsevE22/jjxP 2GkKrF84U3gw7sdru+mUX7L1aT9Es4qIRAzLvDimxJB7hCcXh0hrDbpePFFt4WM4 WX1WpDphCaD102ailiWtsm6N1NRsZVNzuoTUBn1xUirzjhdHSK0CfIs28YlqN3X8 vR/nCoS5t8UrI9f2ulrFRIjW2KhO2UsDswG9weJPyjuvniewZR5WZZQS1R2zuE8P wFXjSg0IjiyKc7l1ekCRSFPbEqDYoC/l6GwzbMGogFnKpwuahHJ7QnX3NExbUpkU U/By2MRDE5vGGoo/F/hmvCPEYiaEbfaWtgID07UrcsFZztWfn7zlZ3fAt4bk5/p0 J94Gb7s2ResmiKAd0tbY9bJHu1byfkOzYIHm46K2uNMcDW0KAnn/wErkCPF0wBlA XkH7rIz5Y2R7wf0+u8qkOHYGL7/I1c0O5AOWEGnYao7wZOiRPdjZvpRSavaWx8ce EH0ebKDyLqNvpldyNaO20sOWuuebKv5jUK6APR8NXnnT/hhF2eWjwZXbsOiy+Nog vU2LCyN4Qp/GpfFHThvE8SAoBFQsbdCPlcKPaXyyMcrbCUSVumMDhdNniy87P/33 LjaAjkaVoy4=vt+f -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce