CVE-2022-39328: Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds. Please bump to 9.2.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3372327fcbb60401503751c4ab58f8ef272204a commit f3372327fcbb60401503751c4ab58f8ef272204a Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-10 01:49:35 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-10 01:50:13 +0000 www-apps/grafana-bin: drop 8.5.14, 9.0.9, 9.1.8, 9.2.0 Bug: https://bugs.gentoo.org/877097 Bug: https://bugs.gentoo.org/879025 Bug: https://bugs.gentoo.org/880551 Signed-off-by: John Helmert III <ajak@gentoo.org> www-apps/grafana-bin/Manifest | 4 -- www-apps/grafana-bin/grafana-bin-8.5.14.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.0.9.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.1.8.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.2.0.ebuild | 66 -------------------------- 5 files changed, 268 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4c1fcd35fb637eebe424ca7ad4a19da02ab2398 commit b4c1fcd35fb637eebe424ca7ad4a19da02ab2398 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-10 01:48:42 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-10 01:49:55 +0000 www-apps/grafana-bin: add 9.2.4 Bug: https://bugs.gentoo.org/879025 Bug: https://bugs.gentoo.org/880551 Signed-off-by: John Helmert III <ajak@gentoo.org> www-apps/grafana-bin/Manifest | 1 + www-apps/grafana-bin/grafana-bin-9.2.4.ebuild | 66 +++++++++++++++++++++++++++ 2 files changed, 67 insertions(+)
Cleanup done, all done.
