(https://nvd.nist.gov/vuln/detail/CVE-2019-13068): public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field). Upstream reference: https://github.com/grafana/grafana/pull/17731 Gentoo Security Padawan (domhnall)
I believe a relatively easy fix would be to stabilize 6.2.5 early (it's in the tree since 2019-06-26, no other bugs open), and then remove the old affected versions. If there are no objections and/or alternative ideas, I'd go forward with this plan.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f1febcd1ac613fd7e161bb92ffecd17545e059c commit 0f1febcd1ac613fd7e161bb92ffecd17545e059c Author: Ferenc Erki <erkiferenc@gmail.com> AuthorDate: 2019-09-15 13:11:27 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2019-09-15 16:48:44 +0000 www-apps/grafana-bin: drop old Bug: https://bugs.gentoo.org/689388 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Ferenc Erki <erkiferenc@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/12931 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/grafana-bin/Manifest | 3 - www-apps/grafana-bin/grafana-bin-5.4.3-r1.ebuild | 70 ------------------------ www-apps/grafana-bin/grafana-bin-5.4.4.ebuild | 70 ------------------------ www-apps/grafana-bin/grafana-bin-5.4.5.ebuild | 70 ------------------------ 4 files changed, 213 deletions(-)
