Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719306 (CVE-2020-12245) - <www-apps/grafana-bin-6.7.3: Multiple vulnerabilities (CVE-2020-{12245,12052})
Summary: <www-apps/grafana-bin-6.7.3: Multiple vulnerabilities (CVE-2020-{12245,12052})
Status: RESOLVED FIXED
Alias: CVE-2020-12245
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-24 21:49 UTC by Sam James
Modified: 2020-05-11 12:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-24 21:49:00 UTC 
Description:
"Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip."

PR: https://github.com/grafana/grafana/pull/23816
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-24 21:49:19 UTC 
@maintainer(s), please create an appropriate ebuild
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-27 18:42:11 UTC 
CVE-2020-12052 (https://nvd.nist.gov/vuln/detail/CVE-2020-12052):
  Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
Comment 3 Larry the Git Cow gentoo-dev 2020-05-11 12:07:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7308261fd9413cf2fcd60b636f223ad68d7b6f77

commit 7308261fd9413cf2fcd60b636f223ad68d7b6f77
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-11 12:06:42 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-11 12:07:25 +0000

    www-apps/grafana-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/719306
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/grafana-bin/Manifest                 |  2 -
 www-apps/grafana-bin/grafana-bin-6.5.3.ebuild | 71 ---------------------------
 www-apps/grafana-bin/grafana-bin-6.7.2.ebuild | 71 ---------------------------
 3 files changed, 144 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57aceac5058d4208590578b1ffff790e62e667aa

commit 57aceac5058d4208590578b1ffff790e62e667aa
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-11 12:06:19 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-11 12:07:24 +0000

    www-apps/grafana-bin: bump to v6.7.3
    
    Bug: https://bugs.gentoo.org/719306
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/grafana-bin/Manifest                 |  1 +
 www-apps/grafana-bin/grafana-bin-6.7.3.ebuild | 71 +++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-05-11 12:08:10 UTC 
Repository is clean, all done!