Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 858101 (CVE-2020-7753, CVE-2021-0155, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-31097, CVE-2022-31107) - <www-apps/grafana-bin-{8.5.10,9.0.7}: multiple vulnerabilities
Summary: <www-apps/grafana-bin-{8.5.10,9.0.7}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2020-7753, CVE-2021-0155, CVE-2021-3807, CVE-2021-3918, CVE-2021-43138, CVE-2022-31097, CVE-2022-31107
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-15 02:35 UTC by John Helmert III
Modified: 2022-11-10 01:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 02:35:30 UTC
9.0.3 fixes numerous npm package vulnerabilities (prototype pollution, ReDoS}.

Both 8.5.9 and 9.0.3 have fixes for:

"Grafana OAuth account takeover (CVE-2022-31107)
Grafana stored XSS vulnerability (CVE-2022-31097)"

From https://github.com/grafana/grafana/pull/52279.

https://github.com/grafana/grafana/releases/tag/v8.5.9
https://github.com/grafana/grafana/releases/tag/v9.0.3

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-23 13:54:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42da957de1631c4e0ca1f235bc4a7ccd4d8c46f5

commit 42da957de1631c4e0ca1f235bc4a7ccd4d8c46f5
Author:     Patrick Lauer <patrick@gentoo.org>
AuthorDate: 2022-08-23 13:51:01 +0000
Commit:     Patrick Lauer <patrick@gentoo.org>
CommitDate: 2022-08-23 13:54:53 +0000

    www-apps/grafana-bin: Bump to 8.5.10 9.0.7 9.1.0
    
    Also remove old
    
    Bug: https://bugs.gentoo.org/858101
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Patrick Lauer <patrick@gentoo.org>

 www-apps/grafana-bin/Manifest                      |  7 +--
 ...bin-7.5.16.ebuild => grafana-bin-8.5.10.ebuild} |  0
 www-apps/grafana-bin/grafana-bin-9.0.2.ebuild      | 64 ----------------------
 ...a-bin-8.5.3.ebuild => grafana-bin-9.0.7.ebuild} |  0
 ...a-bin-8.5.6.ebuild => grafana-bin-9.1.0.ebuild} |  0
 5 files changed, 3 insertions(+), 68 deletions(-)