From https://www.openwall.com/lists/oss-security/2020/06/03/4 : Dear all, today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases include an important security fix for an issue that affects all Grafana versions from 3.0.1 to 7.0.1. Incorrect access control vulnerability (CVE-2020-13379) We received a security report to security@...fana.com on May 14, 2020, about a vulnerability in Grafana regarding the avatar feature. It was later identified as affecting Grafana versions from 3.0.1 to 7.0.1. CVE-2020-13379 has been assigned to this vulnerability. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. If for some reason you cannot upgrade, the impact can be mitigated by blocking access to the avatar feature by blocking the /avatar/* URL via a web application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to Grafana. Affected versions Grafana releases 3.0.1 through 7.0.1 Patched versions 7.x and 6.7.x Solutions and mitigations Download and install the appropriate patch for your version of Grafana. Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries, under embargo, on May 27. Further information can be found at https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ Richard
Looks like we've had an update for a little while now: commit a0c47986f1782e15c851dc701a3c11cf1c0468cf Author: Tobias Klausmann <klausman@gentoo.org> Date: Thu Jun 4 10:34:50 2020 +0200 www-apps/grafana-bin: Bump to v6.7.4 This contains a security fix: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> rename www-apps/grafana-bin/{grafana-bin-6.7.3.ebuild => grafana-bin-6.7.4.ebuild} (100%)
*** Bug 726756 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77439a6401a71baa4f5531618182b52947c13708 commit 77439a6401a71baa4f5531618182b52947c13708 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-20 00:02:59 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-20 00:03:13 +0000 www-apps/grafana-bin: bump to v7.1.3 Closes: https://bugs.gentoo.org/701238 Closes: https://bugs.gentoo.org/730336 Bug: https://bugs.gentoo.org/725110 Bug: https://bugs.gentoo.org/726946 Package-Manager: Portage-3.0.3, Repoman-3.0.0 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/grafana-bin/grafana-bin-7.1.3.ebuild | 35 +++++++++++---------------- 1 file changed, 14 insertions(+), 21 deletions(-)
Last vulnerable version appears to have been removed in the rename to 6.7.4. No stable versions, no GLSA, closing.
