* Wed Jan 08 2025 witold.bedyk@suse.com
- CVE-2024-45337: Prevent possible misuse of
ServerConfig.PublicKeyCallback by upgrading golang.org/x/crypto
(bsc#1234554)
* Add 0004-Bump-crypto.patch
* Tue Nov 26 2024 witold.bedyk@suse.com
- Update to version 10.4.13:
* Bugfixes
Alerting: Add useReturnTo hook to safely handle returnTo
parameter
VizTooltip: Fix positioning on mobile
* Mon Nov 11 2024 witold.bedyk@suse.com
- Pin Go to version 1.22
- Removed patch 0002-Fix-permission-on-external-rule-write.patch
- Added patch 0002-Fix-msagl-and-remove-esfx.patch
- Update to version 10.4.12 (jsc#PED-11591):
* Bugfixes
Alerting: Make context deadline on AlertNG service startup
configurable.
- Update to version 10.4.11:
* Bugfixes
[SECURITY] CVE-2024-8118: Fix incorrect permission on POST
external rule alerting groups endpoint.
Alerting: Fix broken panelId links.
Dashboard: Make dashboard search faster.
- Update to version 10.4.10:
* Bugfixes
AzureMonitor: Deduplicate resource picker rows.
Correlations: Limit access to correlations page to users who
can access Explore.
- Update to version 10.4.9:
* Bugfixes
Provisioning: Prevent provisioning folder errors from failing
startup.
- Update to version 10.4.8:
* Bugfixes
Alerting: Fix persisting result fingerprint that is used by
recovery threshold.
Snapshots: Fix panic when snapshot_remove_expired is true.
- Update to version 10.4.7:
* Bugfixes
[SECURITY] Fixed CVE-2024-6837.
- Update to version 10.4.6:
* Features and enhancements
Prometheus: Reintroduce Azure audience override feature flag.
* Bugfixes
Alerting: Fix Discord, Microsoft Teams and Telegram
integrations.
Alerting: Fix panic in provisioning filter contacts by unknown
name.
Alerting: Skip loading alert rules for dashboards when
disabled.
Echo: Suppress errors from frontend-metrics API call failing.
- Update to version 10.4.5:
* Bugfixes
Echo: Suppress errors from frontend-metrics API call failing.
Azure Monitor: Add validation for namespace field in
AdvancedResourcePicker when entering a forward
slash.
- Update to version 10.4.4:
* Bugfixes
BrowseDashboards: Prepend subpath to New Browse Dashboard
actions.
Alerting: Fix rule storage to filter by group names using
case-sensitive comparison.
Alerting: Fix editing Grafana folder via alert rule editor.
AzureMonitor: Fix bug detecting app insights queries.
Auth: Fix signout redirect url.
SSE: Fix threshold unmarshal to avoid panic.
Alerting: Fix typo in JSON response for rule export.
CloudMonitoring: Fix query type selection issue.
- Update to version 10.4.3:
* Bugfixes
CloudMonitoring: Improve legacy query migrations.
Azure data sources: Set selected config type before save.
Provisioning: Look up provisioned folders by UID when possible.
Cloudwatch: Update grafana-aws-sdk to fix sts endpoints.
Alerting: Prevent search from locking the browser.
SQLStore: Disable redundant create and drop unique index
migrations on dashboard table.
Alerting: Take receivers into account when custom grouping
Alertmanager groups.
LDAP: Fix listing all non-matching groups.
Alerting: Fix simplified routing group by override.
Alerting: Return a 400 and errutil error when trying to delete
a contact point that is referenced by a policy.
LibraryPanelRBAC: Fix issue with importing dashboards
containing library panels.
Google Cloud Monitor: Fix res being accessed after it becomes
nil in promql_query.go.
Google Cloud Monitor: Fix interface conversion for incorrect
type in cloudMonitoringProm.run.
Dashboard: Allow auto refresh option when saving a dashboard.
- Update to version 10.4.2:
* Security
CVE-2024-28180: Fix improper handling of highly compressed data
(bsc#1235206)
* Bugfixes
Angular deprecation: Prefer local “angularDetected” value to
the remote one.
AuthProxy: Fix missing session for ldap auth proxy users.
Alerting: Fix receiver inheritance when provisioning a
notification policy.
CloudMonitoring: Only run query if filters are complete.
- Update to version 10.4.1:
* Features and enhancements
Alerting: Add "Keep Last State" backend functionality.
Postgres: Allow disabling SNI on SSL-enabled connections.
DataQuery: Track panel plugin id not type.
* Bugfixes
Elasticsearch: Fix legend for alerting, expressions and
previously frontend queries.
Alerting: Fix optional fields requiring validation rule.
ExtSvcAccounts: FIX prevent service account deletion.
Loki: Fix null pointer exception in case request returned an
error.
Dashboard: Fix issue where out-of-view shared query panels
caused blank dependent panels.
Auth: Only call rotate token if we have a session expiry
cookie.
Serviceaccounts: Add ability to add samename SA for different
orgs.
GenAI: Update the component only when the response is fully
generated.
Tempo: Better fallbacks for metrics query.
Tempo: Add template variable interpolation for filters.
Alerting: Fix saving evaluation group.
QueryVariableEditor: Select a variable ds does not work.
Logs Panel: Add option extra UI functionality for log context
- Update to version 10.4.0:
* Features and enhancements
Canvas: Add support for snapping and aligning elements
Geomap: Add support for geojson layer styling
Visualizations: Allow viewing data links inline in table
visualizations.
Alerting: Add Grafana Alerting migration preview tool.
Alerting: Simplified alert notification routing.
Plugins: Add SurrealDB datasource (experimental).
Auth: Easier configuration for OAuth providers.
- Update to version 10.3.3:
* Bugfixes
[SECURITY] CVE-2023-6152: Add email verification when updating
user email (bsc#1219912)
Elasticsearch: Fix creating of legend so it is backward
compatible with frontend produced frames.
ShareModal: Fixes url sync issue that caused issue with save
drawer.
- Update to version 10.3.2:
* (unreleased)
- Update to version 10.3.1:
* Upstream build changes only, no functional changes
- Update to version 10.3.0:
* Features and enhancements
Canvas: Add support for pan and zoom.
Dashboards: Allow viewing percent change in stat visualizations
Alerting: Improved organization and visibility of contact
points.
Logs: Improved search and queries with the popover menu.
- Update to version 10.2.3:
* Breaking changes
In panels using the `extract fields` transformation, where one
of the extracted names collides with one of the already
existing ields, the extracted field will be renamed.
For the existing backend mode users who have table
visualization might see some inconsistencies on their panels.
We have updated the table column naming. This will
potentially affect field transformations and/or field
overrides. To resolve this either: update transformation or
field override.
For the existing backend mode users who have Transformations
with the `time` field, might see their transformations are
not working. Those panels that have broken transformations
will fail to render. This is because we changed the field
key. To resolve this either: Remove the affected panel and
re-create it; Select the `Time` field again; Edit the `time`
field as `Time` for transformation in `panel.json` or
`dashboard.json`
The following data source permission endpoints have been
removed:
`GET /datasources/:datasourceId/permissions`
`POST /api/datasources/:datasourceId/permissions`
`DELETE /datasources/:datasourceId/permissions`
`POST /datasources/:datasourceId/enable-permissions`
`POST /datasources/:datasourceId/disable-permissions`
Please use the following endpoints instead:
`GET /api/access-control/datasources/:uid` for listing data
source permissions
`POST /api/access-control/datasources/:uid/users/:id`,
`POST /api/access-control/datasources/:uid/teams/:id` and
`POST /api/access-control/datasources/:uid/buildInRoles/:id`
for adding or removing data source permissions
If you are using Terraform Grafana provider to manage data
source permissions, you will need to upgrade your provider.
* Security
CVE-2025-21613: Removes vulnerable library
github.com/go-git/go-git/v5 (bsc#1235574)
* Features and enhancements
Azure: New default dashboards.
Visualization: Apply data transformations to annotation data.
Visualization: Plot enum values in time series and state
timeline.
Visualization: Enhanced tooltips.
Visualization: Use a transformation to perform regression
analysis.
Alerting: Extended Opsgenie contact point.
Auth: Allow monitoring the anonymous devices connected to
Grafana instance
- Update to version 10.2.2:
* Bugfixes
FeatureToggle: Disable `dashgpt` by default and mark it as
preview.
SaveDashboardPrompt: Reduce time to open drawer when many
changes applied.
Alerting: Fix export with modifications URL when mounted on
subpath.
Explore: Fix queries (cached & non) count in usage insights.
Plugins: Keep working when there is no internet access.
- Update to version 10.2.1:
* Breaking changes
For the existing backend mode users who have table visualization
might see some inconsistencies on their panels. We have
updated the table column naming. This will potentially affect
field transformations and/or field overrides.
* Features and enhancements
Stat: Add panel option to control wide layout.
* Bugfixes
Dashboards: Fix dashboard listing when user can't list any
folders.
Search: Modify query for better performance.
Dashboards: Fix issue causing crashes when saving new
dashboard.
RBAC: Allow scoping access to root level dashboards.
CloudWatch Logs: Add labels to alert and expression queries.
Datasource: Respect data source version when provisioning.
Explore: Fix support for angular based datasource editors.
Plugins: Fix status_source always being "plugin" in plugin
request logs.
InfluxDB: Fix aliasing with $measurement or $m on backend mode.
InfluxDB: Fix parsing multiple tags on backend mode.
Explore: Fix panes vertical scrollbar not being draggable.
Explore: Avoid reinitializing graph on every query run.
Dashboards: Correctly set permissions on provisioned
dashboards.
InfluxDB: Fix adhoc filter calls by properly checking optional
parameter in metricFindQuery.
InfluxDB: Fix table parsing with backend mode.
Alerting: Alert rule constraint violations return as 400s in
provisioning API.
- Update to version 10.2.0:
* Breaking changes
The deprecated `/playlists/{uid}/dashboards` API endpoint has
been removed. Dashboard information can be retrieved from the
`/dashboard/...` APIs.
The `PUT /api/folders/:uid` endpoint no more supports modifying
the folder's `UID`
Removed all components for the old panel header design.
* Features and enhancements
Canvas: Add ability to create interactive buttons
Dashboards: Allow zooming in on the y-axis of the time series
and candlestick visualizations.
Dashboards: Calculate visualization min/max individually per
field.
Dashboards: Use AI to generate titles, descriptions, and change
summaries.
Dashboards: Add ability to share dashboards publically.
Alerting: Integrate Grafana alerts with Grafana OnCall.
Tempo: Compute RED metrics over spans aggregated by attribute
with the “Aggregate By” Search option.
Tempo: Group multiple spansets per trace.
Transformations: Incorporate dashboard variables directly into
transformations.
Pyroscope: Add support for template variables.
CloudWatch: Add support for Temporary Credentials.
Dashboards: Navigate and manage Grafana dashboards with the
improved dashboard browse function.
RBAC: Better access control with new option ‘No basic role’.
- Update to version 10.1.7:
* [SECURITY] CVE-2023-6152: Add email verification when updating
user email
* [FEATURE] DashboardSchema: Add options to VariableModel
* [BUGFIX] Annotations: Split cleanup into separate queries and
deletes to avoid deadlocks on MySQL
- Update to version 10.1.6:
* [FEATURE] Alerting: Attempt to retry retryable errors
* [FEATURE] Azure: Add support for Workload Identity
authentication
* [BUGFIX] Alerting: Fix deleting rules in a folder with matching
UID in another organization
* [BUGFIX] Alerting: Make shareable alert rule link work if rule
name contains forward slashes
* [BUGFIX] Loki: Cache extracted labels to avoid too many sample
requests in code editor
* [BUGFIX] DataSourcePicker: Disable autocomplete for the search
input
* [BUGFIX] Plugins: Refresh plugin info after installation
* [BUGFIX] LDAP: FIX Enable users on successfull login
* [BUGFIX] Loki: Fix filters not being added with multiple
expressions and parsers
- Update to version 10.1.5:
* Features and enhancements
Azure: Settings for Azure AD Workload Identity
Azure: Add support for Workload Identity authentication
* Bugfixes:
Alerting: Add support for `keep_firing_for` field from external
rulers
Cloudwatch: Prevent log group requests with ARNs if feature
flag is off
Cloudwatch: Backport 73524 Bring Back Legacy Log Group Picker
- Update to version 10.1.4:
* Features and enhancements
Azure: Add support for Workload Identity authentication.
- Version 10.1.3 not released
- Update to version 10.1.2:
* (upstream packaging dependency changes only, identical to
10.1.1 for our purposes)
- Update to version 10.1.1:
* Features and enhancements
Loki: Remove distinct operation.
Alerting: Optimize rule details page data fetching.
Alerting: Optimize external Loki queries.
* Bug fixes
Elasticsearch: Fix respecting of precision in geo hash grid.
AuthProxy: Fix user retrieval through cache.
Logs: Fix log samples not present with empty first frame.
Alerting: Fix Recording Rule QueryEditor builder view.
Transforms: Catch errors while running transforms.
Dashboard: Fix version restore.
Logs: Fix permalinks not scrolling into view.
Rendering: Fix dashboard screenshot.
Loki: Fix validation of step values to also allow e.g. ms
values.
Dashboard: Fix repeated row panel placement with larger number
of rows.
Alerting: Remove dump wrapper for yaml config.
Alerting: Always invalidate the AM config after mutation.
Logs: Fix displaying the wrong field as body.
Alerting: Fix "see graph button" for cloud rules.
- Update to version 10.1.0:
* Breaking changes
OAuth role mapping enforcement: This change impacts GitHub,
Gitlab, Okta, and Generic OAuth. To avoid overriding manually
set roles, enable the skip_org_role_sync option in the
Grafana configuration for your OAuth provider before
upgrading.
* Features and enhancements
Dashboards: Improved flame graph visualisation including new
sandwich view, switching color scheme, switching
symbol names alignment and improved navigation.
Dashboards: Allow displaying network data in the Geomap
visualization by using the new beta Network layer.
Dashboards: Allow disconnecting values in Time series, Trend,
and State timeline visualizations.
Traces: Moved span filtering for traces out of public preview
into general availability.
Tempo: Improved query efficiency with TraceQL response
streaming.
Dashboards: Distinguish widgets from visualizations for
building better dashboards.
Aletring: Improved alert rule creation workflow.
- Update to version 10.0.3:
* Features and enhancements
Alerting: Sort NumberCaptureValues in EvaluationString.
Alerting: No longer silence paused alerts during legacy
migration.
Auth: Add support for custom signing keys in auth.azure_ad.
* Bug fixes
Alerting: Fix edit/view of webhook contact point when no
authorization is set.
AzureMonitor: Set timespan in Logs Portal URL link.
Plugins: Only configure plugin proxy transport once.
Elasticsearch: Fix multiple max depth flatten of multi-level
objects.
Elasticsearch: Fix histogram colors in backend mode.
Alerting: Fix state in expressions footer.
AppChromeService: Fixes update to breadcrumb parent URL.
Elasticsearch: Fix using multiple indexes with comma separated
string.
Alerting: Fix Alertmanager change detection for receivers with
secure settings.
Transformations: Fix extractFields throwing Error if one value
is undefined or null.
XYChart: Point size editor should reflect correct default.
Annotations: Fix database lock while updating annotations.
TimePicker: Fix issue with previous fiscal quarter not parsing
correctly.
AzureMonitor: Correctly build multi-resource queries for
Application Insights components.
AzureMonitor: Fix metric names for multi-resources.
Logs: Do not insert log-line into log-fields in json download.
Loki: Fix wrong query expression with inline comments.
- Update to version 10.0.2:
* Features and enhancements
Alerting: Add limit query parameter to Loki-based ASH api, drop
default limit from 5000 to 1000, extend visible time
range for new ASH UI.
Alerting: Allow selecting the same custom group when swapping
folders.
Alerting: Move rule UID from Loki stream labels into log lines.
Explore: Clean up query subscriptions when a query is canceled.
* Bug fixes
Logs: Fix wrong before and after texts in log context.
Alerting: Add file and rule_group query params in request for
filtering the result.
Alerting: Convert 'Both' type Prometheus queries to 'Range' in
migration.
Alerting: Display correct results when using different filters
on alerting panels.
Alerting: Fix HA alerting membership sync.
Alerting: Fix unique violation when updating rule group with
title chains/cycles.
Dashboard: Fix issue where a panel with a description and a
cached response displays 2 info icons.
Elasticsearch: Make it compatible with the new log context
functionality.
Fix: Change getExistingDashboardByTitleAndFolder to get
dashboard by title, not slug.
LogContext: Fix filtering out log lines with the same entry.
Login: Fix footer from displaying under the login box.
Navigation: Fix toolbar actions flickering on mobile.
Variables: Detect a name for duplicated variable.
XYChart: Ensure color scale is field-local and synced with data
updates.
XYChart: Fix axis range and scale overrides.
* Plugin development fixes & changes
Grafana UI: Fix behaviour regression on Tooltip component.
- Update to version 10.0.1:
* Security fixes
CVE-2023-3128: Fix authentication bypass using Azure AD OAuth
(bsc#1212641)
* Features and enhancements
- Alerting: Update alerting module
- Schema: Improve Dashboard kind docs and remove deprecated
props.
- Update to version 10.0.0:
* Breaking changes
Angular is deprecated
Grafana legacy alerting is deprecated and no longer accepts
internal or external contributions
API keys are migrating to service accounts
The experimental “dashboard previews” feature is removed
Usernames are now case-insensitive by default
Grafana OAuth integrations do not work anymore with email
lookups
The “Alias” field in the CloudWatch data source is removed
Athena data source plugin must be updated to version >=2.9.3
Redshift data source plugin must be updated to version >=1.8.3
DoiT International BigQuery plugin no longer supported
Checkout https://grafana.com/docs/grafana/next/breaking-changes/breaking-changes-v10-0
for details
* Features and enhancements
Themes: Unify secondary button and ToolbarButton.
* Bug fixes
Query Editor: Ensure dropdown menus position correctly.
Drawer: Fixes closeOnMaskClick false issue.
* Mon Nov 11 2024 witold.bedyk@suse.com
- Use #!/usr/bin/bash shebang for package dependency generator to
work correctly.
* Add 0002-Use-bash-instead-of-env.patch
* Mon Oct 28 2024 witold.bedyk@suse.com
- CVE-2024-8118: Fix permission on external alerting rule write
endpoint (bsc#1231024)
Added patch 0002-Fix-permission-on-external-rule-write.patch